Websuna uses session-based authentication on the default settings (
websauna.system.auth.policy.SessionAuthenticationPolicy). When a user logs in the logged in user id is stored in the session. All anonymous user
request.session variables are carried over to logged in session.
By default created user instances are not activated and thus cannot login. To activate user:
from websauna.utils.time import now from websauna.system.user.models import User from websauna.system.user.utils import get_user_registry def my_view(request): u = User(email="[email protected]") password = None # Do not give password or give plain text entry here if password: # How to set a password on freshly created user user_registry = get_user_registry(request) user_registry.set_password(u, password) # Where did this user came to our site u.registration_source = "command_line" # Turn user activated u.activated_at = now() request.dbsession.add(u)
To protect against session fixation attacks there exist
Always fire this event when you change user authentication sensitive details (email, password)
If you implement a custom session handling listen for this event and drop all user sessions on receiving it