The Cookie module defines classes for abstracting the concept of cookies, an HTTP state management mechanism. It supports both simplistic string-only cookies, and provides an abstraction for having any serializable data-type as cookie value.

The module formerly strictly applied the parsing rules described in in the RFC 2109  ] and RFC 2068  ] specifications. It has since been discovered that MSIE 3.0x doesn't follow the character rules outlined in those specs. As a result, the parsing rules used are a bit less strict.

CookieError

Exception failing because of RFC 2109  ] invalidity: incorrect attributes, incorrect Set-Cookie header, etc.

BaseCookie ([input])

This class is a dictionary-like object whose keys are strings and whose values are Morsels. Note that upon setting a key to a value, the value is first converted to a Morsel containing the key and the value. If input is given, it is passed to the load method.

SimpleCookie ([input])

This class derives from BaseCookie and overrides value_decode and value_encode to be the identity and str() respectively.

SerialCookie ([input])

This class derives from BaseCookie and overrides value_decode and value_encode to be the pickle.loads() and pickle.dumps. Do not use this class. Reading pickled values from a cookie is a security hole, as arbitrary client-code can be run on pickle.loads(). It is supported for backwards compatibility.

SmartCookie ([input])

This class derives from BaseCookie. It overrides value_decode to be pickle.loads() if it is a valid pickle, and otherwise the value itself. It overrides value_encode to be pickle.dumps() unless it is a string, in which case it returns the value itself. The same security warning from SerialCookie applies here.

Subsections

• 11.17.1 Cookie Objects
• 11.17.2 Morsel Objects
• 11.17.3 Example

See About this document... for information on suggesting changes.