Storing a Value in a Cookie
Chris Rebert
clp2 at rebertia.com
Wed Dec 16 04:42:19 EST 2009
On Wed, Dec 16, 2009 at 1:13 AM, Victor Subervi <victorsubervi at gmail.com> wrote:
> Hi;
> From what I've studied and gotten working about cookies, it seems one can
> store only a certain few pieces of information--expiration, path, comment,
> domain, max-age, version and last visit--but how is it useful if one can't
> also store, say, the name of a temporary MySQL table where pertinent
> customer data, such as shopping cart data, is stored? I guess I could put
> that into the comment field, but I suspect there's a better way of doing it.
> Please advise.
Besides the metadata you mentioned, a cookie can also store one
key-value pair, which is sent as the first part of the "Cookie" HTTP
header when setting the cookie ("Cookie: name=value"); this is
typically used to store a session ID.
It is inadvisable to store much data other than a session ID in a
cookie because as a rule, in order to avoid security risks, clients
should not be trusted. In the example you give of storing the name of
an SQL table, someone could guess the name of another user's SQL table
and alter their cookie to masquerade as that user, thus compromising
the other customer's shopping cart, and depending on the contents of
the SQL table, potentially their credit card.
Most web frameworks, like Django, will handle low-level details like
setting and getting cookies for you and provide a higher-level API for
dealing with sessions and/or users.
Cheers,
Chris
--
http://blog.rebertia.com
More information about the Python-list
mailing list