Storing a Value in a Cookie

[Victor Subervi]

On Wed, Dec 16, 2009 at 4:42 AM, Chris Rebert <clp2 at rebertia.com> wrote:

> On Wed, Dec 16, 2009 at 1:13 AM, Victor Subervi <victorsubervi at gmail.com>
> wrote:
> > Hi;
> > From what I've studied and gotten working about cookies, it seems one can
> > store only a certain few pieces of information--expiration, path,
> comment,
> > domain, max-age, version and last visit--but how is it useful if one
> can't
> > also store, say, the name of a temporary MySQL table where pertinent
> > customer data, such as shopping cart data, is stored? I guess I could put
> > that into the comment field, but I suspect there's a better way of doing
> it.
> > Please advise.
>
> Besides the metadata you mentioned, a cookie can also store one
> key-value pair, which is sent as the first part of the "Cookie" HTTP
> header when setting the cookie ("Cookie: name=value"); this is
> typically used to store a session ID.
> It is inadvisable to store much data other than a session ID in a
> cookie because as a rule, in order to avoid security risks, clients
> should not be trusted. In the example you give of storing the name of
> an SQL table, someone could guess the name of another user's SQL table
> and alter their cookie to masquerade as that user, thus compromising
> the other customer's shopping cart, and depending on the contents of
> the SQL table, potentially their credit card.
> Most web frameworks, like Django, will handle low-level details like
> setting and getting cookies for you and provide a higher-level API for
> dealing with sessions and/or users.
>

Well, I'm not using a web framework like Django and this shopping cart is
almost completely written, so I'm not about to switch. So, how do I use the
session ID to correlate with the user's temp MySQL table?
TIA,
V
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-list/attachments/20091216/f38ad5f8/attachment-0001.html>