On 10 nov, 21:21, Anssi Kääriäinen <anssi.kaariai...@thl.fi> wrote: > On Nov 10, 10:05 pm, Paul McMillan <p...@mcmillan.ws> wrote: > > > > > > > > > > > > There's no reason to not use JSON by default since it's adequate for > > > most cases where you need to store lightweight data client-side, since > > > it's most useful to use with FormWizard and such, where the fields are > > > easily serialized as strings. If it can't be a drop-in replacement to > > > the other session storage, just document it and offer a > > > PickleSignedSessionStorage, but don't push a possibly insecure > > > default. > > > The default is secure. If you don't disclose your secret key, you > > don't have a problem. > > > JSON is considerably more verbose. Cookie space is limited. JSON > > doesn't support many of the data structures people store in sessions. > > There are many reasons to store data in sessions beyond FormWizard. It > > already isn't a drop-in replacement, since it has limitations the > > other ones don't have. > > Would it make sense to allow easier subclassing of > signed_cookies.SessionStore? The standard SessionStore could use > self.serializer instead of the hardcoded PickleSerializer (patch size > 3 lines). Then document how to subclass SessionStore: > > from django.contrib.sessions.backends.signed_cookies import > SessionStore > from django.core.signing import JSONSerializer > > class JSONSessionStore(SessionStore): > self.serializer = JSONSerializer > > This would allow the developer to pick the tradeoff between JSON and > Pickle instead of Django enforcing the choice. Not that it is that > hard to subclass the SessionStore currently, but this would make it > even easier, and documentation would make it part of the public API. > > - Anssi
That's how Werkzeug's SecureCookie is implemented also. Besides, that's just good practice. +1 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.