Yosai web: How to keep user logged in? Bug?

[brunoais]

From what I investigated, the user is not being kept logged in between accesses to the pages.
I am running Yosai==0.3.2 and I'm making use of the web component.

I've noticed that, after the user is logged in, the session is not kept between pages.
According to the web's mgt.py:87-90 code, the user id is gotten from the context while also the web_registry is available on that same line. On that line, even though, the web_registry which is available there with the current session_id, the session_id is got from the context and not from the web_registry.
From me following the code, I find that, at no point in the execution of YosaiWeb the session_id is got from the web_registry. Am I doing something wrong?

I am not allowing users to use the remember_me functionality by not giving them the option to

I've tried searching through the tests and I can't find any test that actually tests to flask web so a user logs in and then testing if the session was kept on between requests.

As a temp-fix, I will change that line 89 so it gets the session from the web registry when the one from the context is None

@Dowwie How do I unstuck myself without creating security holes?

[Dowwie]

Hi @brunoais . I haven't touched this project in a long while! Before I dig in, would you please help me understand your situation? Are you reading through source code prior to testing an actual web application, trying to make sense prior to lift-off? Are you using the additional plugins, yosai_alchemystore and yosai_dpcache? I spent most of my time testing using cache-backed session handling (redis). Are you doing the same?

Take a look at the demo web app written using Pyramid and see if this helps at all.

[brunoais]

@Dowwie
I can.
I am reading the source code to try to understand it, yes.
I'm using a NoSQL database and I'm using flask, so I'm just using yosai with yosai web.
I extended WebSessionHandler and WebSessionManager so I can use the MemorySessionStore for the current tests.
I'm not using any cache so far.
I'm asking for help because not even the demo with pyramid is helping right now at all.

Additionally, when I restart the server, it is giving ValueError: There is no session with id instead of making a new session. I already made the change (I mentioned above) to WebSecurityManager.get_session_key(self, subject_context) to use the session_id stored in the web_registry. I was expecting for the session to be cancelled or terminated (requiring a relogin) or restarted, not a ValueError.
What may be happening is that I made the change to a wrong place

Thanks for the quick answer.

[brunoais]

By the way, there are things that I am struggling with. For example, where is the SubjectContext's self.session ever assigned (besides being set to None)?

[brunoais]

Another element I hadn't mentioned is that I will want to store the user's session as a cookie (ciphered and signed) in the browser. I don't want to have session and session data in the server.
I already have the means for the encryption, what I need is to connect the session storage with the request end so I can encode it.