|
Brian Bird
brian.bird at securetrading.com
Wed Aug 11 11:44:39 EDT 2004
I'm implementing a session-based login system using mod_python. I decided to use SignedCookie because the cookie will contain the login name of the authenticated user and I therefore need to ensure the cookie has not been tampered with on the client (If there's a better way to do this kind of thing could someone point me in the right direction?). If I create a session using the following command: s=Session.DbmSession(self.req, secret="mysecret") then the session will be created using SignedCookie. If on a subsequent request I perform the same command I get back the same session. Everything is fine so far. However, if I change the value of "mysecret" I thought I would get an error (since this is equivalent to someone tampering with the signed cookie isn't it?). The command works though. I see from looking at Session.py that a SignedCookie is created (line 111 in Session.py), but it's type is not checked (the documentation says you should check the type to ensure it is SignedCookie not Cookie, otherwise the signature verification has failed). The variable "cookies" normally contains a SignedCookie object, but when I change "mysecret" it contains a Cookie object. Does this mean that the cookie signature is not being verified correctly if using Session.py or am I missing something? Why does SignedCookie return an instance of Cookie if the signature verification fails rather than raising an Exception? Thanks, Brian
|