[Python-Dev] Re: Cookie.py security
timo@timo-tasi.org
timo@timo-tasi.org
Wed, 30 Aug 2000 14:51:52 -0400
hola.
On Wed, Aug 30, 2000 at 09:26:20AM -0400, A.M. Kuchling wrote:
> Question: should SerialCookie and SmartCookie be removed? If they're
> not there, people won't accidentally use them because they didn't read
> the docs and missed the warning.
>
> Con: breaks backward compatibility with the existing cookie module and
> forks the code.
I had a thought about this - kind of a intermediate solution.
Right now, the shortcut 'Cookie.Cookie()' returns an instance of the
SmartCookie, which uses Pickle. Most extant examples of using the
Cookie module use this shortcut.
We could change 'Cookie.Cookie()' to return an instance of SimpleCookie,
which does not use Pickle. Unfortunately, this may break existing code
(like Mailman), but there is a lot of code out there that it won't break.
Also, people could still use the SmartCookie and SerialCookie classes,
but not they would be more likely to read them in the documentation
because they are "outside the beaten path".