You can continue using pickle, the serializer will not be removed but it will not be the default. I would suggest moving to json right now, so long as you aren't relying on pickle-ability in your existing code.
On Fri, Feb 22, 2019 at 1:09 AM Mike Orr <sluggos...@gmail.com> wrote: > On Tue, Sep 25, 2018 at 8:18 AM Michael Merickel <mmeri...@gmail.com> > wrote: > > > > On Tue, Sep 25, 2018 at 10:09 AM Mike Orr <sluggos...@gmail.com> wrote: > >> > >> On Mon, Sep 24, 2018 at 3:21 PM Michael Merickel <mmeri...@gmail.com> > wrote: > >> > We'd deprecate it in 1.10 and remove it in 2.0 as we're planning to > do with pickle-based sessions [2]. > >> > >> Why are pickle-based sessions being removed? I switched my serializers > >> to JSON but later switched them back because it was useful to have the > >> ability to cache non-JSONable objects in sessions. > > > > > > You can read the security concerns in the pull request I linked. You're > welcome to keep using pickle sessions (they support everything JSON > supports), but Pyramid will be moving to only requiring JSON. > > I just inherited a Pyramid application that has several nested classes > in the session with dozens of attributes, so it would be quite a job > to convert them to JSONable dicts. I'm advising the developer how to > prepare it for beta and future versions of Pyramid. We're currently > using 'pyramid_beaker' with file-based sessions but I'm planning to > switch to 'pyramid_redis_sessions'. What will I need to do to make it > keep working in Pyramid 2 and 1.10? Will the PickleSerializer class be > deleted from the code, or just made non-default? I don't need a > dual-mode serializer as in the docs, because when/if we switch to JSON > we'll delete all the existing sessions. So I'd just need to add code > to explicitly use the Pickle serializer? > > The manual says: > > "In Pyramid 2.0 the pyramid.interfaces.ISession interface will be > changing to require that session implementations only need to support > JSON-serializable data types." > > This is consistent with what Michael said above. But the changelog > entry for 1.10a1 says: > > "The pyramid.intefaces.ISession interface will move to require > JSON-serializable objects in Pyramid 2.0. " > > suggesting it will force JSON or bust. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to pylons-discuss@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DupVNO63WH02nGF2iNdUJJKCgWngREDEPGvAie%2BHKR0vYQ%40mail.gmail.com > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAKdhhwH8hPQMxaP2YAPaMNetWqg5UMXsGUnZxmdBoVnLU3r-hQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
