HTTPForbidden while authorizing inactive user

[Alen]

Hi,

We've encountered a strange authorization issue we can't quite figure out how to get past... When the users of our web app are inactive for a while and they come back to use it, on first request they get a HTTPForbidden error (presumably because the session has expired due to inactivity). However, they're not logged out and if they refresh the page everything works as it should. The behavior is pretty easy to replicate, we just set session.timeout to 5 seconds, and then use the app after being inactive for 5 seconds and we always get the error. But here's the kicker - if we set pyramid.debug_authorization to True then we don't see this issue!

We need help debugging this issue further...but we're pretty sure it's something misconfigured on our end. We're running latest Pyramid (1.9.1) with pyramid_beaker for session management. Below is an excerpt from our development.ini file with the relevant settings:

================================

pyramid.reload_templates = true

pyramid.debug_authorization = false

pyramid.debug_notfound = true

pyramid.debug_routematch = false

pyramid.default_locale_name = en

pyramid.includes =

    pyramid_tm

    pyramid_debugtoolbar

    pyramid_beaker

# Debug toolbar

debugtoolbar.enabled = false

debugtoolbar.hosts = 0.0.0.0/0

# Use http instead of https in local environment for base portal URL

auth.policy.secure = false

# Beaker config

cache.type = ext:memcached

cache.url = 127.0.0.1:11211

cache.lock_dir = %(here)s/data/sessions/lock

cache.regions = second, default_term, short_term, long_term, full_day, forever_term

cache.second.expire = 1

cache.short_term.expire = 60

cache.default_term.expire = 300

cache.long_term.expire = 3600

cache.full_day.expire = 86400

cache.forever_term.expire = 604800

session.type = ext:memcached

session.url = 127.0.0.1:11211

session.data_dir = %(here)s/data/sessions/data

session.lock_dir = %(here)s/data/sessions/lock

session.key = KEY_HNAME

session.secret = SECRET_KEY

session.cookie_expires = 86400

session.secure = false

session.timeout = 3600

# End of beaker config

================================

And here is the auth policy setup from our __init__.py file:

================================

authn_policy = AuthTktAuthenticationPolicy(

        # this is the secret used to sign cookies

        'SECRET_KEY',

        callback=groupfinder,

        secure=use_https, #This should always be True, unless overridden in development.ini file

        http_only=True,

        timeout=21600,

        reissue_time=2160,

        max_age=86400,

        hashalg='sha512')

================================

Thanks

[Alen]

I forgot to mention we do get some useful information when debug_authorization is set to True. Here is what we get:

2017-11-21 01:24:14,225 DEBUG [appname._authdebug_view()][waitress] debug_authorization of url http://localhost:6543/ (view name u'' against context <====================================.models.RootFactory object at 0x7f7ef246af90>): ACLDenied permission 'authenticated' via ACE '<default deny>' in ACL [...ACLs here...] on context <appname.models.RootFactory object at 0x7faf3c5a7c10> for principals ['system.Everyone']