On Friday, September 20, 2013 10:24:00 AM UTC+2, Davide Rizzo wrote: > > - using the raw JSONEncoder by default is not offering any significant > security advantage over using an extended encoder. I feel like it's going > to discourage coders to use JSONSerializer at all. >
Btw could it be that you are mixing out Encoder and Serializer? Or are they supposed to be the same, if not please add import names, so one knows which and from where you mean. Personally I don't see any improvement in using an extended encoder -- in the end it's just more work for us and people complaining why we don't support their $magical class. In most if not all cases storing full objects in the session is wrong; what we could have supported would be timestamps, but those are storable as utc seconds easily enough… Why would the current status be discouraging anyone? But I believe this decision didn't give a realistic weight to the impact on > the community. > I still fail to see the issue; 3rd party projects have to adapt, this is why we have deprecation paths and accelerated paths for security related stuff. The net result is the same, at some point you will be forced to use a new feature (although in this case a bit sooner, but again: security and you can reenable the old default); eg newforms->forms, Model.Admin class to newadmin etc. And those last two literally affected everyone, that's what I'd call impact; the current impact is __only__ on people which do use the session (granted that's probably everyone) and did put complex data into the session. This pretty much narrows the list down to a percentage of the whole usergroup, when I audited my projects for this switch I had a few datetimes saved, although most of them saved them as integers already (which makes sense from a performance standpoint). So all in all I think 3rd party authors will adapt without any problems since they are most of the time not affected, or they'll have to change a few lines of code… Can you provide a big list of 3rd party apps storing Models etc in the session? Regards, Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
