On Mon, Dec 10, 2018 at 12:56 PM Michael Merickel <[email protected]> wrote: > > On Mon, Dec 10, 2018 at 12:21 PM Bert JW Regeer <[email protected]> wrote: >> >> Pyramid also by default supports all of the "secure" parts of the cookie. >> There are no extra flags that can't already be set using Pyramid. >> >> Using the Secure package for cookies is unnecessary. > > > I imagine the benefit is less for Pyramid's builtin sessions and auth tokens > but for other arbitrary cookies a user may set where right now you must > remember/pass in all the options to `response.set_cookie`. If I were doing > this myself I'd probably use `config.set_response_factory` to define a custom > response subclass that contains some form of `response.set_secure_cookie(key, > value, **kwargs)` that had signing built into it, or even just define some > more purpose-built functions for the different types of cookies I want to > set. Fortunately most of my apps don't set cookies other than auth/session so > I don't really care. :-)
Ah yes, for the cookies I found the 'secure' and 'httponly' settings in 'pyramid_redis_sessions' and used those. For the other headers I made a NewResponse event listener and set them there. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DuodWv-suM9AdDkpf1GkqiM4hv40UCofH%2Bs%3DHAKuhiwzzg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
