Please stay on the list (readded)! Richard Jennings wrote at 2005-1-30 07:17 +0100:

... user-private folder with session lifetime ... ... The available documentation talks of session *data* objects.

You can put any serializable (picklable) and especially any persistent object into a session. It looks like: obj = <YourConstructor>(...) session[<someKey>] = obj You can later access your object with "session[<someKey>]". [DM]

...

This is as safe (and private) as the session itself (which is not completely but rather safe). [RJ] What, exactly, is the weakness here?

If someone spoofs the session id, it can look into the session and change it. With sufficient priviledges, someone can list all session objects and look into them (and change them). -- Dieter