On Wed, Dec 16, 2009 at 1:13 AM, Victor Subervi <victorsube...@gmail.com> wrote: > Hi; > From what I've studied and gotten working about cookies, it seems one can > store only a certain few pieces of information--expiration, path, comment, > domain, max-age, version and last visit--but how is it useful if one can't > also store, say, the name of a temporary MySQL table where pertinent > customer data, such as shopping cart data, is stored? I guess I could put > that into the comment field, but I suspect there's a better way of doing it. > Please advise.
Besides the metadata you mentioned, a cookie can also store one key-value pair, which is sent as the first part of the "Cookie" HTTP header when setting the cookie ("Cookie: name=value"); this is typically used to store a session ID. It is inadvisable to store much data other than a session ID in a cookie because as a rule, in order to avoid security risks, clients should not be trusted. In the example you give of storing the name of an SQL table, someone could guess the name of another user's SQL table and alter their cookie to masquerade as that user, thus compromising the other customer's shopping cart, and depending on the contents of the SQL table, potentially their credit card. Most web frameworks, like Django, will handle low-level details like setting and getting cookies for you and provide a higher-level API for dealing with sessions and/or users. Cheers, Chris -- http://blog.rebertia.com -- http://mail.python.org/mailman/listinfo/python-list