Default session data serializer doesn't support extended data types
|Reported by:||Owned by:||nobody|
|Has patch:||no||Needs documentation:||yes|
|Needs tests:||yes||Patch needs improvement:||no|
#20922 introduced the option to choose a custom session data serializer. The default option is to use the new JSONSerializer starting from 1.6, since using pickle would lead to a remote code execution vulnerability when session data is stored in cookies.
While this can be considered a sensible security choice, it becomes inconvenient as the JSON encoder used by JSONSerializer is not the same used elsewhere in Django, as it only support basic data types: string, int/floats, booleans, nested dicts and lists, None.
The inconvenience is breaking compatibility with all third party apps that rely on storing extended data types (such as those supported by DjangoJSONEncoder) with the default settings. Properly serializing datetime (possibly tz-aware) can be hard, and changing the default puts the burden on third party apps coders.
They would have the option to either add two complexity layers (properly serializing/deserializing datetime objects, and not breaking compatibility with the previous versions of the same app), or to break compatibility with Django default settings.
As an example of commonly used data types that can't be stored anymore with default settings:
- datetime, timedelta objects (supported by DjangoJSONEncoder)
- decimal objects (supported by DjangoJSONEncoder)
- arbitrary binary strings
- Geometry objects
I think the option of reverting the default to pickle should be also considered.
Change History (5)
comment:2 Changed 3 years ago by
|Status:||closed → new|