Securing 'pickle'
Ian Bicking
ianb at colorstudy.com
Thu Jul 10 22:58:38 EDT 2003
On Thu, 2003-07-10 at 20:52, Erik Max Francis wrote:
> > Because now you need a mechanism to store the session info on the
> > server, and you might want it to work across multiple load-balanced
> > servers that fail over to one another, etc.
>
> That's far superior to presenting the opportunity to exploits in the
> first place, in my opinion. Depending on the contents of the contents
> of that cookie, what you suggest may not be a problem at all (depending
> on how critical the data contained therein is).
Security isn't a big deal -- or rather, securing cookies isn't a big
deal. I think reliability will be a bigger problem. Cookies can cause
problems even when you are just storing a simple session ID. If you
start storing more information you're likely to run up against other
problems -- cookies can be hard to dispose of, who knows where they'll
get chopped off to preserve storage (it happens quickly), and IE has a
bug where you can't redirect and set a cookie at the same time, which
can really drive you crazy if you don't know about it.
Hidden fields are a much better way of keeping information on the
client. They tend to make for more navigable pages too. But if you
really want session, not transaction data, then you just need to figure
out server-side sessions. The biggest advantage of a web application is
that it runs in a controlled environment (the server) and you should
take advantage of that.
Ian
More information about the Python-list
mailing list