[Web-SIG] Python pickle and web security.
python at venix.com
Mon Sep 18 20:34:50 CEST 2006
On Mon, 2006-09-18 at 14:24 -0400, Jim Fulton wrote:
> On Sep 18, 2006, at 2:16 PM, Python wrote:
> > On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
> >> Why do you assume the session store is untrusted? If someone can hack
> >> into my database, they can typically hack into my web application so
> >> its pretty weird to consider the backend session store to be
> >> "untrusted".
> > You are assuming that the pickle is stored in a secure database.
> > If the
> > pickle is in a cookie or some other client side storage, then it is
> > definitely not to be trusted.
> Right. Storing pickles in cookies is a very bad idea.
> Hopefully, no one is doing that.
As it happens, I am not using cookies to store pickles, but I've
considered it. What makes it "a very bad idea"?
> Jim Fulton mailto:jim at zope.com Python Powered!
> CTO (540) 361-1714 http://www.python.org
> Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG