UnencryptedCookieSessionFactoryConfig(secret, timeout=1200, cookie_name='session', cookie_max_age=None, cookie_path='/', cookie_domain=None, cookie_secure=False, cookie_httponly=False, cookie_on_exception=True, signed_serialize=<function signed_serialize at 0x3c5b938>, signed_deserialize=<function signed_deserialize at 0x3c5b9b0>)[source]

Configure a session factory which will provide unencrypted (but signed) cookie-based sessions. The return value of this function is a session factory, which may be provided as the session_factory argument of a pyramid.config.Configurator constructor, or used as the session_factory argument of the pyramid.config.Configurator.set_session_factory() method.

The session factory returned by this function will create sessions which are limited to storing fewer than 4000 bytes of data (as the payload must fit into a single cookie).


A string which is used to sign the cookie.
A number of seconds of inactivity before a session times out.
The name of the cookie used for sessioning. Default: session.
The maximum age of the cookie used for sessioning (in seconds). Default: None (browser scope).
The path used for the session cookie. Default: /.
The domain used for the session cookie. Default: None (no domain).
The ‘secure’ flag of the session cookie. Default: False.
The ‘httpOnly’ flag of the session cookie. Default: False.
If True, set a session cookie even if an exception occurs while rendering a view. Default: True.
A callable which takes more or less arbitrary python data structure and a secret and returns a signed serialization in bytes. Default: signed_serialize (using pickle).
A callable which takes a signed and serialized data structure in bytes and a secret and returns the original data structure if the signature is valid. Default: signed_deserialize (using pickle).
signed_serialize(data, secret)[source]

Serialize any pickleable structure (data) and sign it using the secret (must be a string). Return the serialization, which includes the signature as its first 40 bytes. The signed_deserialize method will deserialize such a value.

This function is useful for creating signed cookies. For example:

cookieval = signed_serialize({'a':1}, 'secret')
response.set_cookie('signed_cookie', cookieval)
signed_deserialize(serialized, secret, hmac=<module 'hmac' from '/usr/lib/python2.7/hmac.pyc'>)[source]

Deserialize the value returned from signed_serialize. If the value cannot be deserialized for any reason, a ValueError exception will be raised.

This function is useful for deserializing a signed cookie value created by signed_serialize. For example:

cookieval = request.cookies['signed_cookie']
data = signed_deserialize(cookieval, 'secret')
check_csrf_token(request, token='csrf_token', raises=True)[source]

Check the CSRF token in the request’s session against the value in request.params.get(token). If a token keyword is not supplied to this function, the string csrf_token will be used to look up the token within request.params. If the value in request.params.get(token) doesn’t match the value supplied by request.session.get_csrf_token(), and raises is True, this function will raise an pyramid.httpexceptions.HTTPBadRequest exception. If the check does succeed and raises is False, this function will return False. If the CSRF check is successful, this function will return True unconditionally.

Note that using this function requires that a session factory is configured.

New in version 1.4a2.

Previous topic

Next topic