Yes, I understand your concern. For sure, aaron was on drugs when he mentioned this quick, non-secure fix -- even though the asker most definitely had very loose security requirements given that he was using nothing more than CGI.
\But\ from the beginning, everyone using webpy has seem to know flup sessions to be the recommended way of doing sessions:
Let's look at this another way though. If you really need security, then which is better: a simple, quickly verifiable codebase like webpy, or a massive, magical code base like django and turbogears? Do any frameworks make any guarentees of security?
I have seen several high profile sites within the last two years with major, obvious security problems. As hard as this is to believe, I no longer think that security is what will determine the success of most any web app -- at all. Unless you have special needs, feelings of security should not be your primary metric in evaluating a framework.
Luckily I don't use a massive, magical code base like Django or TurboGears. I use Pylons, which is small enough that you can understand it all, large enough that you can actually do useful things with it, and written by some very smart people.
\But\ from the beginning, everyone using webpy has seem to know flup sessions to be the recommended way of doing sessions:
http://webpy.org/track/wiki/SessionsWithFlup
Let's look at this another way though. If you really need security, then which is better: a simple, quickly verifiable codebase like webpy, or a massive, magical code base like django and turbogears? Do any frameworks make any guarentees of security?
I have seen several high profile sites within the last two years with major, obvious security problems. As hard as this is to believe, I no longer think that security is what will determine the success of most any web app -- at all. Unless you have special needs, feelings of security should not be your primary metric in evaluating a framework.