On Sep 15, 2006, at 7:23 PM, René Dudfield wrote: > That seems like a good way to stop the untrusted session store from > being able to inject sessions in there. That could at least solve the > problem of using pickles from untrusted session stores. > > Are you just using the basic python types? eg dict, string, list, > numbers etc? If so, perhaps using another serialiser will remove some > more risk if you cared.
Why do you assume the session store is untrusted? If someone can hack into my database, they can typically hack into my web application so its pretty weird to consider the backend session store to be "untrusted". I think this is why using pickle for sessions is pretty harmless as you're the one writing to them, not the user. While I can imagine a few situations where an untrusted session store might come into play, I'd generally imagine that the vast majority of the time one does trust their session storage as much as they trust that their application can't have its source code modified. Cheers, Ben _______________________________________________ Web-SIG mailing list Web-SIG@python.org Web SIG: http://www.python.org/sigs/web-sig Unsubscribe: http://mail.python.org/mailman/options/web-sig/archive%40mail-archive.com