11.18 Cookie -- HTTP state management

The Cookie module defines classes for abstracting the concept of cookies, an HTTP state management mechanism. It supports both simple string-only cookies, and provides an abstraction for having any serializable data-type as cookie value.

The module formerly strictly applied the parsing rules described in in the RFC 2109 and RFC 2068 specifications. It has since been discovered that MSIE 3.0x doesn't follow the character rules outlined in those specs. As a result, the parsing rules used are a bit less strict.

exception CookieError
Exception failing because of RFC 2109 invalidity: incorrect attributes, incorrect Set-Cookie header, etc.

class BaseCookie([input])
This class is a dictionary-like object whose keys are strings and whose values are Morsels. Note that upon setting a key to a value, the value is first converted to a Morsel containing the key and the value.

If input is given, it is passed to the load() method.

class SimpleCookie([input])
This class derives from BaseCookie and overrides value_decode() and value_encode() to be the identity and str() respectively.

class SerialCookie([input])
This class derives from BaseCookie and overrides value_decode() and value_encode() to be the pickle.loads() and pickle.dumps().

Do not use this class. Reading pickled values from a cookie is a security hole, as arbitrary client-code can be run on pickle.loads(). It is supported for backwards compatibility.

class SmartCookie([input])
This class derives from BaseCookie. It overrides value_decode() to be pickle.loads() if it is a valid pickle, and otherwise the value itself. It overrides value_encode() to be pickle.dumps() unless it is a string, in which case it returns the value itself.

The same security warning from SerialCookie applies here.

See Also:

RFC 2109, HTTP State Management Mechanism
This is the state management specification implemented by this module.

See About this document... for information on suggesting changes.