On Tue, Sep 25, 2018 at 8:18 AM Michael Merickel <[email protected]> wrote: > > On Tue, Sep 25, 2018 at 10:09 AM Mike Orr <[email protected]> wrote: >> >> On Mon, Sep 24, 2018 at 3:21 PM Michael Merickel <[email protected]> wrote: >> > We'd deprecate it in 1.10 and remove it in 2.0 as we're planning to do >> > with pickle-based sessions [2]. >> >> Why are pickle-based sessions being removed? I switched my serializers >> to JSON but later switched them back because it was useful to have the >> ability to cache non-JSONable objects in sessions. > > > You can read the security concerns in the pull request I linked. You're > welcome to keep using pickle sessions (they support everything JSON > supports), but Pyramid will be moving to only requiring JSON.
I just inherited a Pyramid application that has several nested classes in the session with dozens of attributes, so it would be quite a job to convert them to JSONable dicts. I'm advising the developer how to prepare it for beta and future versions of Pyramid. We're currently using 'pyramid_beaker' with file-based sessions but I'm planning to switch to 'pyramid_redis_sessions'. What will I need to do to make it keep working in Pyramid 2 and 1.10? Will the PickleSerializer class be deleted from the code, or just made non-default? I don't need a dual-mode serializer as in the docs, because when/if we switch to JSON we'll delete all the existing sessions. So I'd just need to add code to explicitly use the Pickle serializer? The manual says: "In Pyramid 2.0 the pyramid.interfaces.ISession interface will be changing to require that session implementations only need to support JSON-serializable data types." This is consistent with what Michael said above. But the changelog entry for 1.10a1 says: "The pyramid.intefaces.ISession interface will move to require JSON-serializable objects in Pyramid 2.0. " suggesting it will force JSON or bust. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DupVNO63WH02nGF2iNdUJJKCgWngREDEPGvAie%2BHKR0vYQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
