diff --git a/development.ini b/development.ini --- a/development.ini +++ b/development.ini @@ -353,46 +353,35 @@ beaker.cache.sql_cache_short.key_length #################################### ### BEAKER SESSION #### #################################### + +## Name of session cookie. Should be unique for a given host and path, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. +beaker.session.key = kallithea +## Sessions should always only be accessible by the browser, not directly by JavaScript. +beaker.session.httponly = true +## Session lifetime. 2592000 seconds is 30 days. +beaker.session.timeout = 2592000 + +## Server secret used with HMAC to ensure integrity of cookies. +beaker.session.secret = development-not-secret +## Further, encrypt the data with AES. +#beaker.session.encrypt_key = +#beaker.session.validate_key = + ## Type of storage used for the session, current types are ## dbm, file, memcached, database, and memory. -## The storage uses the Container API -## that is also used by the cache system. + +## File system storage of session data. (default) +#beaker.session.type = file -## db session ## +## Cookie only, store all session data inside the cookie. Requires secure secrets. +#beaker.session.type = cookie + +## Database storage of session data. #beaker.session.type = ext:database #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea #beaker.session.table_name = db_session -## encrypted cookie client side session, good for many instances ## -#beaker.session.type = cookie - -## file based cookies (default) ## -#beaker.session.type = file - -## beaker.session.key should be unique for a given host, even when running -## on different ports. Otherwise, cookie sessions will be shared and messed up. -beaker.session.key = kallithea -beaker.session.secret = development-not-secret - -## Secure encrypted cookie. Requires AES and AES python libraries -## you must disable beaker.session.secret to use this -#beaker.session.encrypt_key = -#beaker.session.validate_key = - -## sets session as invalid if it haven't been accessed for given amount of time -beaker.session.timeout = 2592000 -beaker.session.httponly = true -#beaker.session.cookie_path = / - -## uncomment for https secure cookie -beaker.session.secure = false - -## auto save the session to not to use .save() -beaker.session.auto = False - -## default cookie expiration time in seconds `true` expire at browser close ## -#beaker.session.cookie_expires = 3600 - ############################ ## ERROR HANDLING SYSTEMS ## ############################ diff --git a/docs/usage/performance.rst b/docs/usage/performance.rst --- a/docs/usage/performance.rst +++ b/docs/usage/performance.rst @@ -22,7 +22,7 @@ Follow these few steps to improve perfor 1. Increase cache - Tweak beaker cache settings in the ini file. That actual effect of that + Tweak beaker cache settings in the ini file. The actual effect of that is questionable. 2. Switch from sqlite to postgres or mysql diff --git a/kallithea/bin/template.ini.mako b/kallithea/bin/template.ini.mako --- a/kallithea/bin/template.ini.mako +++ b/kallithea/bin/template.ini.mako @@ -351,46 +351,35 @@ beaker.cache.sql_cache_short.key_length <%text>#################################### <%text>### BEAKER SESSION #### <%text>#################################### + +<%text>## Name of session cookie. Should be unique for a given host and path, even when running +<%text>## on different ports. Otherwise, cookie sessions will be shared and messed up. +beaker.session.key = kallithea +<%text>## Sessions should always only be accessible by the browser, not directly by JavaScript. +beaker.session.httponly = true +<%text>## Session lifetime. 2592000 seconds is 30 days. +beaker.session.timeout = 2592000 + +<%text>## Server secret used with HMAC to ensure integrity of cookies. +beaker.session.secret = ${uuid()} +<%text>## Further, encrypt the data with AES. +#beaker.session.encrypt_key = +#beaker.session.validate_key = + <%text>## Type of storage used for the session, current types are <%text>## dbm, file, memcached, database, and memory. -<%text>## The storage uses the Container API -<%text>## that is also used by the cache system. + +<%text>## File system storage of session data. (default) +#beaker.session.type = file -<%text>## db session ## +<%text>## Cookie only, store all session data inside the cookie. Requires secure secrets. +#beaker.session.type = cookie + +<%text>## Database storage of session data. #beaker.session.type = ext:database #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea #beaker.session.table_name = db_session -<%text>## encrypted cookie client side session, good for many instances ## -#beaker.session.type = cookie - -<%text>## file based cookies (default) ## -#beaker.session.type = file - -<%text>## beaker.session.key should be unique for a given host, even when running -<%text>## on different ports. Otherwise, cookie sessions will be shared and messed up. -beaker.session.key = kallithea -beaker.session.secret = ${uuid()} - -<%text>## Secure encrypted cookie. Requires AES and AES python libraries -<%text>## you must disable beaker.session.secret to use this -#beaker.session.encrypt_key = -#beaker.session.validate_key = - -<%text>## sets session as invalid if it haven't been accessed for given amount of time -beaker.session.timeout = 2592000 -beaker.session.httponly = true -#beaker.session.cookie_path = / - -<%text>## uncomment for https secure cookie -beaker.session.secure = false - -<%text>## auto save the session to not to use .save() -beaker.session.auto = False - -<%text>## default cookie expiration time in seconds `true` expire at browser close ## -#beaker.session.cookie_expires = 3600 - %if error_aggregation_service == 'errormator': <%text>############################ <%text>## ERROR HANDLING SYSTEMS ## diff --git a/kallithea/config/deployment.ini_tmpl b/kallithea/config/deployment.ini_tmpl --- a/kallithea/config/deployment.ini_tmpl +++ b/kallithea/config/deployment.ini_tmpl @@ -347,46 +347,35 @@ beaker.cache.sql_cache_short.key_length #################################### ### BEAKER SESSION #### #################################### + +## Name of session cookie. Should be unique for a given host and path, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. +beaker.session.key = kallithea +## Sessions should always only be accessible by the browser, not directly by JavaScript. +beaker.session.httponly = true +## Session lifetime. 2592000 seconds is 30 days. +beaker.session.timeout = 2592000 + +## Server secret used with HMAC to ensure integrity of cookies. +beaker.session.secret = ${app_instance_uuid} +## Further, encrypt the data with AES. +#beaker.session.encrypt_key = +#beaker.session.validate_key = + ## Type of storage used for the session, current types are ## dbm, file, memcached, database, and memory. -## The storage uses the Container API -## that is also used by the cache system. + +## File system storage of session data. (default) +#beaker.session.type = file -## db session ## +## Cookie only, store all session data inside the cookie. Requires secure secrets. +#beaker.session.type = cookie + +## Database storage of session data. #beaker.session.type = ext:database #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea #beaker.session.table_name = db_session -## encrypted cookie client side session, good for many instances ## -#beaker.session.type = cookie - -## file based cookies (default) ## -#beaker.session.type = file - -## beaker.session.key should be unique for a given host, even when running -## on different ports. Otherwise, cookie sessions will be shared and messed up. -beaker.session.key = kallithea -beaker.session.secret = ${app_instance_uuid} - -## Secure encrypted cookie. Requires AES and AES python libraries -## you must disable beaker.session.secret to use this -#beaker.session.encrypt_key = -#beaker.session.validate_key = - -## sets session as invalid if it haven't been accessed for given amount of time -beaker.session.timeout = 2592000 -beaker.session.httponly = true -#beaker.session.cookie_path = / - -## uncomment for https secure cookie -beaker.session.secure = false - -## auto save the session to not to use .save() -beaker.session.auto = False - -## default cookie expiration time in seconds `true` expire at browser close ## -#beaker.session.cookie_expires = 3600 - ############################ ## ERROR HANDLING SYSTEMS ## ############################ diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py --- a/kallithea/lib/base.py +++ b/kallithea/lib/base.py @@ -123,7 +123,8 @@ def log_in_user(user, remember, is_exter session.invalidate() session['authuser'] = cookie = auth_user.to_cookie() - # If they want to be remembered, update the cookie + # If they want to be remembered, update the cookie. + # NOTE: Assumes that beaker defaults to browser session cookie. if remember: t = datetime.datetime.now() + datetime.timedelta(days=365) session._set_cookie_expires(t) diff --git a/test.ini b/test.ini --- a/test.ini +++ b/test.ini @@ -353,46 +353,35 @@ beaker.cache.sql_cache_short.key_length #################################### ### BEAKER SESSION #### #################################### + +## Name of session cookie. Should be unique for a given host and path, even when running +## on different ports. Otherwise, cookie sessions will be shared and messed up. +beaker.session.key = kallithea +## Sessions should always only be accessible by the browser, not directly by JavaScript. +beaker.session.httponly = true +## Session lifetime. 2592000 seconds is 30 days. +beaker.session.timeout = 2592000 + +## Server secret used with HMAC to ensure integrity of cookies. +beaker.session.secret = {74e0cd75-b339-478b-b129-07dd221def1f} +## Further, encrypt the data with AES. +#beaker.session.encrypt_key = +#beaker.session.validate_key = + ## Type of storage used for the session, current types are ## dbm, file, memcached, database, and memory. -## The storage uses the Container API -## that is also used by the cache system. + +## File system storage of session data. (default) +#beaker.session.type = file -## db session ## +## Cookie only, store all session data inside the cookie. Requires secure secrets. +#beaker.session.type = cookie + +## Database storage of session data. #beaker.session.type = ext:database #beaker.session.sa.url = postgresql://postgres:qwe@localhost/kallithea #beaker.session.table_name = db_session -## encrypted cookie client side session, good for many instances ## -#beaker.session.type = cookie - -## file based cookies (default) ## -#beaker.session.type = file - -## beaker.session.key should be unique for a given host, even when running -## on different ports. Otherwise, cookie sessions will be shared and messed up. -beaker.session.key = kallithea -beaker.session.secret = {74e0cd75-b339-478b-b129-07dd221def1f} - -## Secure encrypted cookie. Requires AES and AES python libraries -## you must disable beaker.session.secret to use this -#beaker.session.encrypt_key = -#beaker.session.validate_key = - -## sets session as invalid if it haven't been accessed for given amount of time -beaker.session.timeout = 2592000 -beaker.session.httponly = true -#beaker.session.cookie_path = / - -## uncomment for https secure cookie -beaker.session.secure = false - -## auto save the session to not to use .save() -beaker.session.auto = False - -## default cookie expiration time in seconds `true` expire at browser close ## -#beaker.session.cookie_expires = 3600 - ############################ ## ERROR HANDLING SYSTEMS ## ############################