On Tue, Jun 20, 2017 at 11:34 AM, Bert JW Regeer <[email protected]> wrote: > AuthTkt relies on the browsers goodwill, what you are looking for is a way > for you to expire an authentication session server side: > > https://usingnamespace.gitlab.io/pyramid_authsanity/faq.html#why-tickets
That says that storing the user ID in a cookie is a bad idea, but isn't that what AuthTktAuthenticationFactory does? It says that it's better to have a server-side list of valid tokens, but does AuthTktAuthenticationFactory have that and if so where? If it doesn't, why is it called a ticket, because it seems to be the non-ticket the article is disrecommending. Whereas if the server did have a list of valid tickets, then it could just delete the ticket, and then if the client comes back with a ticket-cookie that should have expired, the application can tell the browser where to go. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DurzXPvBfuv9BCsCC3XojBrA-MGrebOXYuK0b%3D70qZsKgQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
