Signed cookies

Cookie handling based on paste.auth.auth_tkt but with some bug fixes and improvements

Supported cookie options (described in detail in the AuthKit manual):

cookie_name
cookie_secure
cookie_includeip
cookie_signoutpath
cookie_secret
cookie_enforce_expires
cookie_params = expires
                path
                comment
                domain
                max-age
                secure
                version

Supported in the middleware but not yet used:

tokens=()
user_data=''
time=None

Features compared to the original paste version:

  1. The authenticate middleware should use authkit version of make_middleware
  2. We need the BadTicket handling in place
  3. We need to be able to use a custom AuthTicket
  4. The custom AuthTicket should accept cookie params specifiable in the config file
  5. The cookie timestamp should be available in the environment as paste.auth_tkt.timestamp

Warning

You shouldn’t rely on the bad ticket or server side expires code because when they are triggered, the sign in form isn’t displayed.

Instead it is better to let the cookie expire naturally. For this reason the server side expiration allows a second longer than the cookie expire time so it only kicks in if the cookie fails to expire.

Here is an example:

from paste.httpserver import serve
from authkit.authenticate import middleware, test_app

def valid(environ, username, password):
    return username==password

app = middleware(
    test_app,
    method='form',
    cookie_secret='secret encryption string',
    valid=valid,
    cookie_signoutpath = '/signout',
    cookie_params = '''
        expires:10
        comment:test cookie
    ''',
    cookie_enforce = True
)
serve(app)

Warning

The username of the REMOTE_USER variable is stored in plain text in the cookie and so is any user data you specify so you should be aware of these facts and design your application accordingly. In particular you should definitely not store passwords as user data.

Table Of Contents

Previous topic

Authentication middleware

Next topic

Release notes

This Page