id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
21002	Document JSON session serialization requires string keys	jeroen.pulles@…	Tim Graham	"Just updated my django 1.6 beta in project; Effectively moved from the pickle session serializer to json serializer without knowing (I only read about this change *after* I got errors.). Suddenly things break. Apparently my old session bytes are decoded, via something JSON-ish. 

A dictionary like: 

{{{
{1: 2}
}}}

becomes:

{{{
{u""1"": 2}
}}}

breaking:

{{{
mydict[1]
>>> KeyError
}}}

I prefer an error message where ""the json decoder"" complains that it can't decode pickle data. So that I have a chance of ""migrating"" the session data , clearing all the sessions, or deciding to change the session serializer setting. Now I have no way of knowing what may happen with my existing sessions. 

I don't understand the session docs on ""an attacker knowing the SECRET_KEY""; As in, an attacker can brute force guess/determine the secret key? Or did this attacker read the config file with the secret key... along with the database password etcetera. As a result I am not sure whether I should switch serializers or make my session data JSON-proof. "	Cleanup/optimization	closed	Documentation	1.6-beta-1	Normal	fixed			Ready for checkin	1	0	0	0	0	0