Securing 'pickle'

[Paul Rubin]

Alan Kennedy <alanmk at hotmail.com> writes:
> Do you mean transmit the checksum to the client with the cookie? And
> check that they match when the cookie and checksum come back?

Yes.  See other posts in the thread for sample code.

> Or is the checksum stored on the server, in some form of lookup
> dictionary keyed by some user session identifier?

If you have a convenient way to do that, it's best to just send a
session number in the cookie, and keep all the session data on the
server.  Then you don't ever have to unpickle anything.