#20922 closed New feature (fixed)
Allow customizing the serializer used by contrib.sessions
Reported by: | Owned by: | Tim Graham | |
---|---|---|---|
Component: | contrib.sessions | Version: | 1.5 |
Severity: | Release blocker | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
The django.contrib.sessions.backends.signed_cookies
session backend should be written in a way that allows subclasses to use their own serializer implementation. This will allow using JSON instead of Pickle to serialize sessions.
For background, see #20444 and https://groups.google.com/d/topic/django-developers/YwlZ9m9k1bE/discussion.
Change History (8)
comment:1 by , 11 years ago
Has patch: | set |
---|
comment:2 by , 11 years ago
Component: | Uncategorized → contrib.sessions |
---|---|
Severity: | Normal → Release blocker |
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → New feature |
Yes, I actually have a more extensive patch in the works.
comment:3 by , 11 years ago
Description: | modified (diff) |
---|---|
Owner: | changed from | to
Status: | new → assigned |
Summary: | Signed Cookie Session Backend Should Support Using a JSON Serializer → Allow customizing the serializer used by contrib.sessions |
The plan is to introduce settings.SESSION_SERIAZLIER
in the next 1.5.x release. It'll default to using pickle for backwards compatibility, but the default will switch to using JSON in 1.6. Pull request in progress.
An additional API has been proposed by @apollo13 to allow customizing the serializiers a bit easier (rather than dealing with subclassing the current serializers, having to possibly write mixins, etc.). For example, in the existing patch JSONMessagesSerializer
could be replaced by a hook:
class SerializerHook(object): handles_variables = ['variable1', ...] def to_primitive(self, name, object): pass def from_primitive(self, name, object): pass
Then in
settings.py
you'd have another setting:
SESSION_SERIALIZER_HOOKS = ['django.contrib.messages.session_hook', ...]
This would allow 3rd party applications to provide simple hooks for their session stuff (although that should be rare since you generally don't put that much logic into sessions, messages are one example of where you still might wanna do it).
Feedback on whether or not this additional complexity is worthwhile would be appreciated.
comment:4 by , 11 years ago
I think the additional complexity is needed. If you happen to use two different applications that use something more complex in sessions, you will need that.
Some questions:
- Are model instances automatically serializable? I know they can be serialized for fixtures...
- What if two hooks have same "handles_variables" keys? First one wins? Chain them? ValidationError? Something else?
- If you have some object type that needs always custom serialization, but is found from different names in the session, is there any nice way to handle that using the above API? Maybe '*' variable? Or maybe there should be object hook that will be called if present (json_serialize(), json_deserialize() for example).
- What about nested structures, if you happen to have object you know how to serialize deeply nested, how to proceed? Again object hooks would help here.
- What happens when transitioning from Pickle to JSON? Loud failure seems like bad option, throwing session data out seems OK. I think this should be tested (unless it already is).
These are not meant to be "must fix" issues, it is completely OK to answer "too complex" to some of them... In any case there will be use cases where JSON serialization will be nearly impossible. QuerySet serialization comes to mind here...
comment:5 by , 11 years ago
- No, model instances are not serializable using JSON. Its limitations are noted in the documentation. An application would be responsible for serializing the instance before storing it in a session.
- We're not planning implementing the "hook" idea.
- N/A, we're not implementing this API.
- As hinted to above, our design decision boiled down to "it's up to the application to only store simple data structures in sessions." See the changes to
contrib.messages
for an example. - Sessions will be dropped (the release notes for 1.6 and 1.5.3 will mention this).
SessionBase.decode
catches deserialization exceptions and returns an empty session.
comment:6 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Pull request: https://github.com/django/django/pull/1474
Question: Should this be mentioned in the docs for this backend? An example of a backend using JSON could be helpful.