On 10 nov, 18:05, Paul McMillan <[email protected]> wrote: > > There's no reason to not use JSON by default since it's adequate for > > most cases where you need to store lightweight data client-side, since > > it's most useful to use with FormWizard and such, where the fields are > > easily serialized as strings. If it can't be a drop-in replacement to > > the other session storage, just document it and offer a > > PickleSignedSessionStorage, but don't push a possibly insecure > > default. > > The default is secure. If you don't disclose your secret key, you > don't have a problem.
The problem is, if you *do* leak the secret key - or new bugs in the session handling component are found - what should be a session hi- jack issue escalates to a remote code execution exploit. I shouldn't have to insist on how bad that is. > JSON is considerably more verbose. Cookie space is limited. JSON > doesn't support many of the data structures people store in sessions. > There are many reasons to store data in sessions beyond FormWizard. It > already isn't a drop-in replacement, since it has limitations the > other ones don't have. There's nothing wrong with providing a pickle serializer. I'm just opposed to making it default. At the very least, add to the official documentation a mention to the possible security issues, so the concerned developer can make a choice. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
