Session and Auth module for the Aspen Web Framework
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


This module contains some standard web framework functionality intended to integrate with the Aspen web framework. Aspen does not currently include these features, so I've created basic implementations of them:

  • Sessions
  • Single Request Messages
  • Authentication

The session and auth implementations use mongo_engine for storage. To use them, ensure trembling is on your path and make your Aspen hooks.conf look something like this:

# Startup Hooks

# Inbound Early Hooks

# Inbound Late Hooks

# Outbound Early hooks

# Outbound Late Hooks

# Shutdown Hooks

This assumes your project has a .aspen/ (you can change the startup hook if you prefer a different filename) to configure the database. At a bare minimum it'll look something like this:

from mongoengine import connect

def startup(website):
    website.db = connect("MY_DB_NAME")


There is a trembling.auth.User mongoengine document that you can use to access user data. The auth module also contains login, logout, and login_required methods. Call them from your simplate as

  • login(request, username, password)
  • logout(request)
  • login_required(request, "/login/page.html")

The latter will raise an appropriate redirect response if the user is not authenticated. If you do not specify a redirect url, it will redirect to trembling.auth.LOGIN_URL. This defaults to /account/login.html, or you can set it to a string of your choice in an aspen startup hook.

For an example of how these modules can be used in practice, see Todoy


If you put something in request.session['messages'] it will automatically be popped and submitted as request.messages in the following request. Note that it doesn't currently do any handling of combining multiple messages into a list or anything like that.


Testing requires py.test, and optionally, for code coverage, and pytest-cov. I have the following in my .bashrc:

py.test --cov=. --cov-report=html --cov-config=coveragerc


I'd like to remove the dependency on mongoengine by creating a pluggable session backend engine as is used in Django.

I'm not sure how secure this code is. I took and Django as input, but I've only implemented the bare minimum.

Pull requests are always welcome!