[Zope] User-private folderish object

Dieter Maurer dieter at handshake.de
Sun Jan 30 13:25:58 EST 2005


Please stay on the list (readded)!

Richard Jennings wrote at 2005-1-30 07:17 +0100:
> ... user-private folder with session lifetime ...
> ...
>The available documentation talks of session *data* objects.

You can put any serializable (picklable) and especially
any persistent object into a session. It looks like:

    obj = <YourConstructor>(...)
    session[<someKey>] = obj

You can later access your object with "session[<someKey>]".

[DM]
>> This is as safe (and private) as the session itself (which
>> is not completely but rather safe).
[RJ]
>What, exactly, is the weakness here?

If someone spoofs the session id, it can look into the session
and change it.

With sufficient priviledges, someone can list all session
objects and look into them (and change them).


-- 
Dieter


More information about the Zope mailing list