On Wed, Jun 21, 2017 at 1:42 PM, Bert JW Regeer <[email protected]> wrote:
> AuthTkt goes a step further in that it stores the userid/username and > signs it, so it can’t be spoofed, but there is no expiration server side, > that is where having a ticket server side comes in. > In an attempt to clarify one point - an auth_tkt ticket can also contain and sign the timestamp when the ticket was created such that you / the policy can prevent someone replaying a cookie long after it was created. However if you want any sort of assurance that the user still exists inside that valid range of time you *will* need to verify that ticket server-side (backend query to see if the userid is still valid). This is an issue with any client-side scheme including auth_tkt or jwt. This is what the callback/groupfinder is for in the pyramid policy and obviously pyramid_authsanity supports a way to verify the ticket with your backend as well. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwGen04oN8F3UggrATvFBdiyF4dD3QTEy3C-YCJisBm9_Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
