websauna.system.core.session module

Session management.

websauna.system.core.session.NO_SESSION_FILE_EXTENSIONS = ['.js', '.css', '.ico', '.png', '.gif', '.jpg']

Todo temporary fix until we manage address this properly in pyramid_redis_sessions

class websauna.system.core.session.WebsaunaSession(initial_data, redis, session_id, new, new_session, serialize=<built-in function dumps>, deserialize=<built-in function loads>)[source]

Bases: pyramid_redis_sessions.session.RedisSession

A specialized session handler that supports initial parameters.

We can pass initial_data that pre-populates session data keys when the session is written for the first time. Usually this is when CSRF token is generated.

websauna.system.core.session.WebsaunaSessionFactory(secret, timeout=1200, cookie_name='session', cookie_max_age=None, cookie_path='/', cookie_domain=None, cookie_secure=False, cookie_httponly=True, cookie_on_exception=True, url=None, host='localhost', port=6379, db=0, password=None, socket_timeout=None, connection_pool=None, encoding='utf-8', encoding_errors='strict', unix_socket_path=None, client_callable=None, serialize=<built-in function dumps>, deserialize=<built-in function loads>, id_generator=<function _generate_session_id>, cookieless_headers=('expires', 'cache-control'), klass=<class 'websauna.system.core.session.WebsaunaSession'>)[source]

Overrides the RedisSessionFactory with Websauna specifi functionality.


Due to functional paradigm, there was no clean way to override this. Move this to upstream pyramid_redis_session - its development has stalled for now

Constructs and returns a session factory that will provide session data from a Redis server. The returned factory can be supplied as the session_factory argument of a pyramid.config.Configurator constructor, or used as the session_factory argument of the pyramid.config.Configurator.set_session_factory() method.


secret A string which is used to sign the cookie.

timeout A number of seconds of inactivity before a session times out.

cookie_name The name of the cookie used for sessioning. Default: session.

cookie_max_age The maximum age of the cookie used for sessioning (in seconds). Default: None (browser scope).

cookie_path The path used for the session cookie. Default: /.

cookie_domain The domain used for the session cookie. Default: None (no domain).

cookie_secure The ‘secure’ flag of the session cookie. Default: False.

cookie_httponly The ‘httpOnly’ flag of the session cookie. Default: True.

cookie_on_exception If True, set a session cookie even if an exception occurs while rendering a view. Default: True.

url A connection string for a Redis server, in the format: redis://username:password@localhost:6379/0 Default: None.

host A string representing the IP of your Redis server. Default: localhost.

port An integer representing the port of your Redis server. Default: 6379.

db An integer to select a specific database on your Redis server. Default: 0

password A string password to connect to your Redis server/database if required. Default: None.

client_callable A python callable that accepts a Pyramid request and Redis config options and returns a Redis client such as redis-py’s StrictRedis. Default: None.

serialize A function to serialize the session dict for storage in Redis. Default: cPickle.dumps.

deserialize A function to deserialize the stored session data in Redis. Default: cPickle.loads.

id_generator A function to create a unique ID to be used as the session key when a session is first created. Default: private function that uses sha1 with the time and random elements to create a 40 character unique ID.

cookieless_headers If view has set any of these response headers do not add a session cookie on this response. This way views generating cacheable content, like images, can signal the downstream web server that this content is safe. Otherwise if we set a cookie on these responses it could result to user session leakage.

The following arguments are also passed straight to the StrictRedis constructor and allow you to further configure the Redis client:


Should we ignore session for this request?

Static assets requests do not need a session, exception made to requests to /notebook, because those requests are proxies to another daemon. :type url: str :param url: Request url. :rtype: bool :return: Flag indicating if session should be ignored.


Setup a session factory that remembers time when the session was created.

We need this information to later invalidate session for the authentication change details.