Document JSON session serialization requires string keys
|Reported by:||Owned by:||Tim Graham|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Just updated my django 1.6 beta in project; Effectively moved from the pickle session serializer to json serializer without knowing (I only read about this change *after* I got errors.). Suddenly things break. Apparently my old session bytes are decoded, via something JSON-ish.
A dictionary like:
mydict >>> KeyError
I prefer an error message where "the json decoder" complains that it can't decode pickle data. So that I have a chance of "migrating" the session data , clearing all the sessions, or deciding to change the session serializer setting. Now I have no way of knowing what may happen with my existing sessions.
I don't understand the session docs on "an attacker knowing the SECRET_KEY"; As in, an attacker can brute force guess/determine the secret key? Or did this attacker read the config file with the secret key... along with the database password etcetera. As a result I am not sure whether I should switch serializers or make my session data JSON-proof.
Change History (8)
comment:1 Changed 3 years ago by
|Component:||contrib.sessions → Documentation|
|Owner:||changed from nobody to Tim Graham|
|Patch needs improvement:||unset|
|Status:||new → assigned|
|Triage Stage:||Unreviewed → Accepted|
|Type:||Uncategorized → Cleanup/optimization|
comment:4 Changed 3 years ago by
|Summary:||Sessions: The switch from pickle to json silently mangles my session data → Document JSON session serialization requires string keys|
|Triage Stage:||Accepted → Ready for checkin|