#21002 closed Cleanup/optimization (fixed)
Document JSON session serialization requires string keys
Reported by: | Owned by: | Tim Graham | |
---|---|---|---|
Component: | Documentation | Version: | 1.6-beta-1 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Ready for checkin | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Just updated my django 1.6 beta in project; Effectively moved from the pickle session serializer to json serializer without knowing (I only read about this change *after* I got errors.). Suddenly things break. Apparently my old session bytes are decoded, via something JSON-ish.
A dictionary like:
{1: 2}
becomes:
{u"1": 2}
breaking:
mydict[1] >>> KeyError
I prefer an error message where "the json decoder" complains that it can't decode pickle data. So that I have a chance of "migrating" the session data , clearing all the sessions, or deciding to change the session serializer setting. Now I have no way of knowing what may happen with my existing sessions.
I don't understand the session docs on "an attacker knowing the SECRET_KEY"; As in, an attacker can brute force guess/determine the secret key? Or did this attacker read the config file with the secret key... along with the database password etcetera. As a result I am not sure whether I should switch serializers or make my session data JSON-proof.
Attachments (1)
Change History (8)
comment:1 by , 11 years ago
Component: | contrib.sessions → Documentation |
---|---|
Owner: | changed from | to
Status: | new → assigned |
Triage Stage: | Unreviewed → Accepted |
Type: | Uncategorized → Cleanup/optimization |
by , 11 years ago
Attachment: | 21002.diff added |
---|
comment:2 by , 11 years ago
Has patch: | set |
---|
I've added a patch. If you could provide feedback that would be great --thanks again!
comment:3 by , 11 years ago
A yes, my bad, sorry; I thought that my current (pickled) session was mangled; Instead, stuff only broke after the inevitable login when changing serializers.
The example with the zero as key to session might be a bit far fetched. In my use case I have a bunch of database id's as key to some cached data. On the other hand it's nice and short. I'm fine with it.
Thanks,
jeroen
comment:4 by , 11 years ago
Summary: | Sessions: The switch from pickle to json silently mangles my session data → Document JSON session serialization requires string keys |
---|---|
Triage Stage: | Accepted → Ready for checkin |
comment:5 by , 11 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Thanks for the feedback. This isn't a consequence of switching from JSON to pickle (as noted in the release notes "If you upgrade and switch from pickle to JSON, sessions created before the upgrade will be lost."), but rather a limitation of the JSON serializer -- keys are always serialized as strings in JSON. I believe we should handle this by documenting the caveat that you shouldn't use integer keys (or other types) when using JSON serialization.
I will clarify the docs regarding your question about
SECRET_KEY
. There's no inherent vulnerability in Django that would cause it to leak.