[Web-SIG] Python pickle and web security.

Jim Fulton jim at zope.com
Mon Sep 18 20:24:23 CEST 2006

On Sep 18, 2006, at 2:16 PM, Python wrote:

> On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
>> Why do you assume the session store is untrusted? If someone can hack
>> into my database, they can typically hack into my web application so
>> its pretty weird to consider the backend session store to be
>> "untrusted".
> You are assuming that the pickle is stored in a secure database.   
> If the
> pickle is in a cookie or some other client side storage, then it is
> definitely not to be trusted.

Right. Storing pickles in cookies is a very bad idea.
Hopefully, no one is doing that.


Jim Fulton			mailto:jim at zope.com		Python Powered!
CTO 				(540) 361-1714			http://www.python.org
Zope Corporation	http://www.zope.com		http://www.zope.org

More information about the Web-SIG mailing list