Securing 'pickle'

Paul Rubin http
Fri Jul 11 16:30:07 EDT 2003


Ian Bicking <ianb at colorstudy.com> writes:
> I should have said "securing cookies isn't hard", so that's not the
> reason not to use them (though you shouldn't just use plain-vanilla
> cookies).  

The signature scheme we've discussed does cause some configuration
hassle.  There has to be a host-specific secret key and it has to be
kept secret.  If it leaks to an attacker, the attacker can then create
malicious cookies.  So the scheme has to be used with care.




More information about the Python-list mailing list