Can we provide a setting that lets you switch between the two? Then you can let developers choose their poison?
On Friday, November 11, 2011 at 6:25 PM, hcarvalhoalves wrote: > On 10 nov, 18:05, Paul McMillan <[email protected]> wrote: > > > There's no reason to not use JSON by default since it's adequate for > > > most cases where you need to store lightweight data client-side, since > > > it's most useful to use with FormWizard and such, where the fields are > > > easily serialized as strings. If it can't be a drop-in replacement to > > > the other session storage, just document it and offer a > > > PickleSignedSessionStorage, but don't push a possibly insecure > > > default. > > > > > > > > > The default is secure. If you don't disclose your secret key, you > > don't have a problem. > > > > > The problem is, if you *do* leak the secret key - or new bugs in the > session handling component are found - what should be a session hi- > jack issue escalates to a remote code execution exploit. I shouldn't > have to insist on how bad that is. > > > JSON is considerably more verbose. Cookie space is limited. JSON > > doesn't support many of the data structures people store in sessions. > > There are many reasons to store data in sessions beyond FormWizard. It > > already isn't a drop-in replacement, since it has limitations the > > other ones don't have. > > > > > There's nothing wrong with providing a pickle serializer. I'm just > opposed to making it default. > > At the very least, add to the official documentation a mention to the > possible security issues, so the concerned developer can make a choice. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to [email protected] > (mailto:[email protected]). > To unsubscribe from this group, send email to > [email protected] > (mailto:[email protected]). > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
