Hi,
I'd like to implement the following session cookie behaviour:
- non-logged-in users get a short-lived one, like 1800 seconds, enough for all CSRF validation
- when logging in, they extend their cookie to 1 year
I'm using pyramid_session_redis, and I can achieve the redis side changing using
headers = remember(request,
user.id)
redis_timeout = 3600 * 24 * 365 # one year in Redis request.session.adjust_timeout_for_session(redis_timeout)
return HTTPFound(location=..., headers=headers)
This changes the redis side just fine, however, I see no way to change the max_age on the already set cookie and I see that remember() supports max_age, but it doesn't work.
I've asked the developer of pyramid_session_redis and he said that there is no remember() in that package, so it's unrelated to that. Still, in Pyramid docs, I see that remember() supports max_age, so how is it?
and
So my solution right now is to set the session cookie max_age to something very big then just limit things in Redis.
Is this the right solution? Ideally, I'd like to achieve never logging out logged-in users, as it's bad for user experience, but at the same time limit bots and non-logged-in users to 1800 seconds.
Zsolt