Advanced configuration

Authentication policy

registerlogin uses AuthTktAuthenticationPolicy. It’s default settings are stored within config as:

        secret: fullauth_psst # default secret used to hash auth_tk cookie
        hashalg: sha512             # default authentication policy hash algorithm
        timeout: 2              # (optional) number of seconds for which an auth ticket will be valid
        reissue_time: 0.2  # (optional) number of seconds that must pass before an authentication token cookie is automatically reissued as the result of a request which requires authentication


timeout and reissue_time settings indicate after which period of time user will be logged out in case of inactivity. If not included in your AuthTktAuthenticationPolicy config, default value for them will be None. To get a better insight on how they work when they are set, look at tests.test_login: test_automatic_logout and test_automatic_logout_not_expired test cases.

See also

For more information about additional settings that could be included in your AuthTktAuthenticationPolicy as well as how to set optimal values for timeout and reissue_time please see AuthTktAuthenticationPolicy.


callback setting is already defined by registerlogin as pyramid_fullauth.auth.groupfinder().


To restrict subdomain applications from using the same cookie, use registerlogin.AuthTkt.wild_domain setting, and set it to False. This will restrict emitted cookies to current domain only. You can also change settings as registerlogin.AuthTkt.cookie_name and registerlogin.AuthTkt.secret to make sure, your apps will use different cookie names and salts.

Authentication Providers

Might happen, that the project needs to identify what authentication providers is user using (Might use e.g facebook, google, email, some OpenID). That’s what the user.providers relation is for.

It stores data needed to authenticate with different providers for each user, but the exception is email, where user is identified by id in a system. Each of the social providers entry gets added by connecting user account with given social network, and the email entry during standard registration or during reset password.


pyramid_fullauth package provides also a basic ACL Mixin for your RootFactory. it contains basic acl definition as well as init method.

See pyramid_fullauth.auth.BaseACLRootFactoryMixin


Plugin emits several events throughout the registration process, login and several other actions.

All of them, along with details description can be found in the package.

Read the Using Events chapter of Pyramid’s documentation to see how to add an event subscriber to Your application and handle those events.

Session Factory

pyramid_fullauth allows you to connect custom session factory within application, by default, it uses pyramid’s UnencryptedCookieSessionFactoryConfig(), but using different session factory is just a matter of appropriate settings in fullauth.session. See Configuration section on how to configure.

More on sessions and session factory can be read in _ Sessions chapter of Pyramid’s documentation