pyramid_authsanity is an authentication policy for the Pyramid Web Framework that strives to make it easier to write a secure authentication policy that follows web best practices.

  • Uses tickets to allow sessions to be prematurely ended. Don’t depend on the expiration of a cookie for example, instead have the ability to terminate sessions server side.

  • Stops session fixation by automatically clearing the session upon login/logout. Sessions are also cleared if the new session is for a different userid than before.

  • Automatically adds the Vary HTTP header if the authentication policy is used.

pyramid_authsanity uses Michael Merickel’s absolutely fantastic pyramid_services to allow an application developer to easily plug in their own sources, and interact with their user database.

API Documentation

Reference material for every public API exposed by pyramid_authsanity:

Narrative Documentation

Narrative documentation that describes how to use this library, with some examples.

Other Matters