--- a/pyramid_cubicweb/auth.py	Thu Apr 09 23:58:38 2015 +0200
+++ b/pyramid_cubicweb/auth.py	Thu Feb 12 19:21:39 2015 +0100
@@ -2,29 +2,37 @@
 import logging
 import warnings
 
+from zope.interface import implementer
+
+from pyramid.settings import asbool
 from pyramid.authorization import ACLAuthorizationPolicy
 from pyramid_cubicweb.core import get_principals
+from pyramid_multiauth import MultiAuthenticationPolicy
 
 from pyramid.authentication import AuthTktAuthenticationPolicy
 
+from pyramid.interfaces import IAuthenticationPolicy
+
 log = logging.getLogger(__name__)
 
 
-class CubicWebAuthTktAuthenticationPolicy(AuthTktAuthenticationPolicy):
+@implementer(IAuthenticationPolicy)
+class UpdateLoginTimeAuthenticationPolicy(object):
     """An authentication policy that update the user last_login_time.
 
-    The update is done in the 'remember' method, which is called on login,
-    and each time the authentication ticket is reissued.
-
-    Meaning, the last_login_time is updated reissue_time seconds (maximum)
-    before the last request by the user.
+    The update is done in the 'remember' method, which is called by the login
+    views login,
 
     Usually used via :func:`includeme`.
     """
 
+    def authenticated_userid(self, request):
+        pass
+
+    def effective_principals(self, request):
+        return ()
+
     def remember(self, request, principal, **kw):
-        headers = super(CubicWebAuthTktAuthenticationPolicy, self).remember(
-            request, principal, **kw)
         try:
             repo = request.registry['cubicweb.repository']
             with repo.internal_cnx() as cnx:
@@ -35,7 +43,10 @@
                 cnx.commit()
         except:
             log.exception("Failed to update last_login_time")
-        return headers
+        return ()
+
+    def forget(self, request):
+        return ()
 
 
 def includeme(config):
@@ -45,25 +56,41 @@
 
     See also :ref:`defaults_module`
     """
-    secret = config.registry['cubicweb.config']['pyramid-auth-secret']
+    settings = config.registry.settings
+
+    policies = []
+
+    if asbool(settings.get('cubicweb.auth.update_login_time', True)):
+        policies.append(UpdateLoginTimeAuthenticationPolicy())
 
-    if not secret:
-        secret = 'notsosecret'
-        warnings.warn('''
+    if asbool(settings.get('cubicweb.auth.authtkt', True)):
+        secret = config.registry['cubicweb.config']['pyramid-auth-secret']
 
-            !! WARNING !! !! WARNING !!
+        if not secret:
+            secret = 'notsosecret'
+            warnings.warn('''
+
+                !! WARNING !! !! WARNING !!
 
-            The authentication cookies are signed with a static secret key.
-            To put your own secret key, edit your all-in-one.conf file
-            and set the 'pyramid-auth-secret' key.
+                The authentication cookies are signed with a static secret key.
+                To put your own secret key, edit your all-in-one.conf file
+                and set the 'pyramid-auth-secret' key.
 
-            YOU SHOULD STOP THIS INSTANCE unless your really know what you
-            are doing !!
+                YOU SHOULD STOP THIS INSTANCE unless your really know what you
+                are doing !!
+
+            ''')
 
-        ''')
+        policies.append(
+            AuthTktAuthenticationPolicy(
+                secret, hashalg='sha512', reissue_time=3600))
 
-    config.set_authentication_policy(
-        CubicWebAuthTktAuthenticationPolicy(
-            secret, callback=get_principals, hashalg='sha512',
-            reissue_time=3600))
+    kw = {}
+    if asbool(settings.get('cubicweb.auth.groups_principals', True)):
+        kw['callback'] = get_principals
+
+    authpolicy = MultiAuthenticationPolicy(policies, **kw)
+    config.registry['cubicweb.authpolicy'] = authpolicy
+
+    config.set_authentication_policy(authpolicy)
     config.set_authorization_policy(ACLAuthorizationPolicy())