|
Michael S. Fischer
michael at dynamine.net
Fri Nov 7 10:10:14 EST 2003
Hi Grisha,
I have some comments WRT section 4.7.1 in the 3.1.2b mod_python manual.
First, please explain to us why we need yet another cookie class,
especially one that has the same name as the package that ships with
Python ("Cookie"). I have to admit, though, that SignedCookie looks
like a really nice convenience class.
Second, it's really important that you emphasize the security risks of
using MarshalCookie; see the Python documentation for SerialCookie to
see why. Also, there are efficient-length considerations; constructing
cookies representing 100kB data structures would not be "best practice."
--Michael
|