The authentication policy

This authentication policy has two moving pieces, they work together to provide an easy to use authentication policy that provides more security by allowing the server to terminate an active authentication session.

Source Service

The first piece is called the authentication source service, this stores the principal and a ticket. There are two provided source services:

cookie

This is the default source and stores the information in a JSON encoded cookie that is signed using HMAC. This secures the information so long as the secret key for the HMAC is not made public.

session

This source stores the information required for the authentication in the Pyramid session, this requires that a session is available in the application as request.session. Since there is no requirement for a Pyramid application to have a registered session, pyramid_authsanity decided to not make this the default.

Authentication Service

The authentication service is defined by the user, the primary goal is to verify that the principal and ticket are both still valid.