[Web-SIG] Python pickle and web security.
Jim Fulton
jim at zope.com
Mon Sep 18 20:24:23 CEST 2006
On Sep 18, 2006, at 2:16 PM, Python wrote:
> On Mon, 2006-09-18 at 10:27 -0700, Ben Bangert wrote:
>> Why do you assume the session store is untrusted? If someone can hack
>> into my database, they can typically hack into my web application so
>> its pretty weird to consider the backend session store to be
>> "untrusted".
>
> You are assuming that the pickle is stored in a secure database.
> If the
> pickle is in a cookie or some other client side storage, then it is
> definitely not to be trusted.
Right. Storing pickles in cookies is a very bad idea.
Hopefully, no one is doing that.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG
mailing list