--- a/pyramid_cubicweb/defaults.py	Fri Sep 19 14:26:55 2014 +0200
+++ b/pyramid_cubicweb/defaults.py	Thu Sep 18 11:43:45 2014 +0200
@@ -1,4 +1,6 @@
-from pyramid.authentication import SessionAuthenticationPolicy
+import warnings
+
+from pyramid.authentication import AuthTktAuthenticationPolicy
 from pyramid.authorization import ACLAuthorizationPolicy
 
 from pyramid_cubicweb.core import get_principals
@@ -7,8 +9,26 @@
 def includeme(config):
     config.include('pyramid_cubicweb.session')
 
+    secret = config.registry['cubicweb.config']['pyramid-auth-secret']
+
+    if not secret:
+        secret = 'notsosecret'
+        warnings.warn('''
+
+            !! WARNING !! !! WARNING !!
+
+            The authentication cookies are signed with a static secret key.
+            To put your own secret key, edit your all-in-one.conf file
+            and set the 'pyramid-session-secret' key.
+
+            YOU SHOULD STOP THIS INSTANCE unless your really know what you
+            are doing !!
+
+        ''')
+
     config.set_authentication_policy(
-        SessionAuthenticationPolicy(callback=get_principals))
+        AuthTktAuthenticationPolicy(
+            secret, callback=get_principals, hashalg='sha512'))
     config.set_authorization_policy(ACLAuthorizationPolicy())
 
     config.include('pyramid_cubicweb.login')