Expand description
Session cookie config + Set-Cookie header construction.
Pylon supports two transports for the same opaque session token:
Authorization: Bearer <token>(CLI, mobile, server-to-server)Cookie: <name>=<token>(browsers — HttpOnly, XSS can’t read it)
The server-side session model is identical; this module just shapes
the Set-Cookie header for the browser transport. Cookie name defaults
to ${app_name}_session so multiple Pylon apps on the same parent
domain don’t clobber each other.
Browser auth is “secure by default”: cookies are HttpOnly + Secure +
SameSite=Lax in prod. Dev mode (PYLON_DEV_MODE=1) drops Secure so
localhost works without TLS.
Structs§
Enums§
- Same
Site - Cookie SameSite policy. Lax is the right default for OAuth flows because the post-callback navigation is a top-level GET, which Lax permits. Strict would block the cookie on that initial navigation.
Functions§
- extract_
token - Read a session token out of a
Cookie:header value. Cookies arename=value; name=value; ...; we scan for the configured name.