[mod_python] Cookie vs. Session

Shawn Harrison harrison at tbc.net
Wed Feb 9 09:47:28 EST 2005

> On 09/02/2005, at 11:21 AM, Jef Dodson wrote:
>> This might be a naive question, but how does one know whether to use a 
>> Cookie or a Session for
>> session/state management?  What are the major differences?  My 
>> interest is in simply allowing
>> someone to login to a site and then be able to identify that user when 
>> they make subsequent
>> requests in order to send them customized content.  So, this is pretty 
>> standard stuff, but is it
>> better to use cookies or session objects for this.  Thanks.

If you use cookies directly, each variable that you want to set (such as 
username) is stored client-side, in the browser of the person looking at 
the page. If you use session objects, only the session id is stored 
client-side. All the other variables are stored server-side, keyed to 
the session id.

Byron Ellacott wrote [02/08/05 11:41 PM]:
> [...]
> Just bear in mind, it would be trivial to spoof yourself to appear to be 
> another user with such a simple scheme.  If this is in any way bad, you 
> would probably want to consider at least using a SignedCookie instead of 
> a regular Cookie object.  The documentation for the Cookie module can 
> help you further.

I recently set up session management on my last project and had the same 
question about "Session vs just Cookie" for session management. I ended 
up going with the Session object primarily because the session id, which 
is stored in a cookie, would be very hard to spoof. Then the username 
and any other information is stored server-side. This arrangement is a 
bit more secure than just storing usernames in cookies.

harrison at tbc.net

More information about the Mod_python mailing list