On Nov 10, 10:05 pm, Paul McMillan <[email protected]> wrote:
> > There's no reason to not use JSON by default since it's adequate for
> > most cases where you need to store lightweight data client-side, since
> > it's most useful to use with FormWizard and such, where the fields are
> > easily serialized as strings. If it can't be a drop-in replacement to
> > the other session storage, just document it and offer a
> > PickleSignedSessionStorage, but don't push a possibly insecure
> > default.
>
> The default is secure. If you don't disclose your secret key, you
> don't have a problem.
>
> JSON is considerably more verbose. Cookie space is limited. JSON
> doesn't support many of the data structures people store in sessions.
> There are many reasons to store data in sessions beyond FormWizard. It
> already isn't a drop-in replacement, since it has limitations the
> other ones don't have.
Would it make sense to allow easier subclassing of
signed_cookies.SessionStore? The standard SessionStore could use
self.serializer instead of the hardcoded PickleSerializer (patch size
3 lines). Then document how to subclass SessionStore:
from django.contrib.sessions.backends.signed_cookies import
SessionStore
from django.core.signing import JSONSerializer
class JSONSessionStore(SessionStore):
self.serializer = JSONSerializer
This would allow the developer to pick the tradeoff between JSON and
Pickle instead of Django enforcing the choice. Not that it is that
hard to subclass the SessionStore currently, but this would make it
even easier, and documentation would make it part of the public API.
- Anssi
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en.
