2

I'm using a cookielib.LWPCookieJar object in Python 2.6 to save cookies and re-load them on future invocations of my script. The save() method produces files with the default permissions - that is, other users on my system can read (and presumably then use) cookies I save this way.

It seems to me that persistent cookies should usually be saved in a user-only readable file (umask 077), for security. Is there a way to do this without re-implementing the save() method in my own subclass?

Tom Baldwin
  • 978
  • 7
  • 9
  • What about building a fresh LWPCookieJar instance each time the script is run? – yurisich Jun 02 '12 at 23:21
  • That's what I'm doing. I make a fresh `LWPCookieJar`, and use the `load()` and `save()` methods for persistence. These methods don't seem to save things in a very secure way. – Tom Baldwin Jun 04 '12 at 03:50

1 Answers1

0

I agree that this is important -- sessions IDs are often saved as cookies.

Would it suffice to save the cookie to a file in a directory which only the user can access?

os.mkdir( myTmpDir, 0700 )
// Now save the CookieJar in there...
AmigoNico
  • 6,652
  • 1
  • 35
  • 45
  • This is what I ended up doing. It seemed like the right balance between idealism (setting permissions of the actual LWP file) and elegance (only one line of extra code). – Tom Baldwin Jun 06 '12 at 06:48