问题
I do not understand the difference between setting up a Unencrypted Session Factory in order to set cookies, as compared to using request.response.set_cookie(..) and request.cookies[key].
回答1:
The UnencryptedCookieSessionFactory manages one cookie, that is signed. This means that the client can read1 what is in the cookie, but cannot change the values in the cookie.
If you set cookies directly using response.set_cookie(), the client can not only read the cookie, they can change the value of the cookie and you won't be able to detect that the contents have been tampered with.
Moreover, the UnencryptedCookieSessionFactory let's you store any python structure and it'll take care of encoding these to fit within the limitations of a cookie; you'd have to do the same work manually with .set_cookie().
1 You'd have to base64-decode the cookie, then use the pickle module to decode the contents. Because the cookie is cryptographically signed, the usual security concerns that apply to pickle are mitigated.
来源:https://stackoverflow.com/questions/14531396/in-pyramid-framework-what-is-the-difference-between-default-unencrypted-session