[Zope] [ANNOUNCE]CookieCutter product uploaded.

TFE MMS JARVIS JOHN jarvis.sd082@ex.tel.co.jp
Tue, 6 Apr 1999 13:53:51 +0900


Thanks to DC, the CookieCutter product can be dowloaded at
http://www.zope.org/Download/Contrib/CookieCutter.tar.gz

The CookieCutter product allows the storage of multiple data objects
of possibly differing types in a single cookie. This is accomplished
by storing the objects in a dictionary which is pickled via dumps
and sent in the cookie. At the server, the cookie is unpickled
via loads and, if desired, copied into the REQUEST namespace.

Documention is included in the product's doc string as well as
README.txt. This really is a simple product and shoudn't be too 
hard to understand, improve, and customize.

As a word of WARNING, Amos Latteier pointed out to me that this
product poses security risks as it unpickles code received from 
over a network. There is a chance that a malicious user could 
put a trojan horse into a cookie that could compromise your server.
I recommend studying the Python documentation for pickle before
using this.You've been warned. 

Some other points:
1. CookieCutter doesn't (and can't) avoid cookie name clashes.
2. Dictionary keys contained in the cookie but not specified in the 
    CookieCutter object are ignored. (This is a feature!)
3. If you're only storing strings, it might be more efficient to write
    a method to flatten out the dictionary into a "key<separator>value"
    like string and store that instead of a pickle. This would also 
    reduce the security worry.
4. Pickles can get really big. You've got a 4KB limit but Be Nice.
5. I can never get my source code to look as good as everyone 
    else's. >:^(
5. The usual disclaimers apply. Use this software at your own risk. 

Looking forward to comments/criticism.
John Jarvis

BTW, I couldn't get RESPONSE.expireCookie to work so CookieCutter
implements its own (which is actually a modified copy from Request.py ;^).
 Has anyone else had problems with this?