On Sep 24, 8:22 pm, Benjamin Slavin <benjamin.sla...@gmail.com> wrote: > Unfortunately, this approach won't work. > > A malicious client can just send "key" rather than "key__Xsigned" and > you'll never know that the cookie hasn't gone through validation. > This also means that you can't look for cookie values that match a > specific format (ex: body.signature) because a malicious client could > just drop the signature portion. > > As always, we can't trust the client. :-(
Good point - that rules that approach out. > 1) request.unsign_cookie('foo') -- This breaks the parallelism with > existing cookies. Sometimes we'll be doing request.COOKIES['foo'] and > sometimes we'll be doing request.unsign_cookie('foo'). If we were going to do that, it would make sense to NOT have set_cookie (... sign=True) as the API for setting one. We could achieve parallelism with something like this: response.sign_cookie('key', 'value') ... value = request.unsign_cookie('key') You can still read request.COOKIES directly, but you'll get the raw, signed value. That API doesn't look too ugly to me. > 2) A decorator for views -- @unsign_cookies("foo", "bar") -- This > doesn't allow any sort of fall-back (you can't customize what to do if > a given cookie is improperly signed) If a cookie is improperly signed I think you silently discard it, as if it was never set. If we had logging this could always be logged as well... we could fire a signal if we really think people might want to further customise it. > 3) COOKIES as an intelligent object -- We can overload .get so we're > doing something like request.COOKIES.get('foo', signed=True) -- I > think this has the best chance at an interface that keeps a consistent > feel. It's completely backward compatible, though it breaks the > traditional expectation of what you can do via the `get` method on a > dictionary. This isn't so bad, since we already have a precedent for this in request.POST.get_list('foo'). request.COOKIES.get_signed(key) might be OK. At the moment I think my preference is for response.sign_cookie and request.unsign_cookie, though I'm a bit worried that "unsign cookie" doesn't obviously mean "get the cookie, check if the signature is OK and return the value if it is". I like that unsign_cookie maps to the low level signed.unsign API, but it might well be that most users never use the low level signing API and the cookie stuff is the only bit of it they ever see. Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---