librelist archives

« back to archive

Flask / Werkzeug changes to session handling?

Flask / Werkzeug changes to session handling?

From:
Robert Shady
Date:
2013-08-19 @ 09:59
I updated our development server and related packages and it broke soo 
much stuff, I'm now going
thru and trying to fix it.

One of the things that "broke" was setting cookies to an Integer value.  
Now I know technically this
isn't broke, as apparently all cookies are supposed to be String values in
the first place, but it was
allowed in previous versions and worked as expected.

Something else that "broke" in the newer versions, and I just wanted to 
clarify (I'm guessing this
has something to do with the cookies as a string thing again) is the 
ability to set a session variable
equal to a class.

For example, let's say I had this:

class User():
    def __init__(self, id=None, name=None):
        self.id = id
        self.name = name


Or whatever, you used to be able to do this…
    session['user'] = user

And then later in the code reference 
    session['user'].id



But now when you try to do:
    session['user'] = user

It throws an exception saying it can't serialize json user.  It worked 
perfectly fine in older versions,
and we were very excited about being able to store data structures across 
sessions.

Now I understand there are work-arounds for both of these "problems", I 
just wanted to confirm
my suspicions before setting out on that journey.

Thanks!
-- Rob

Re: [flask] Flask / Werkzeug changes to session handling?

From:
Mark Grey
Date:
2013-08-19 @ 13:26
What version were you previously running?  Someone chime in if I'm
mistaken, but I believe the introduction of the itsdangerous module might
be what you're referring to, and that happened in 0.8.

Additionally, the decision was further made to move to a special JSON
serial rather than pickle for security purposes in the latest release.

http://flask.pocoo.org/docs/upgrading/
http://flask.pocoo.org/snippets/51/
https://github.com/maxcountryman/flask-login/issues/31

10.1 does however support binary strings in the session, uncertain about
client side cookies.

http://flask.pocoo.org/docs/changelog/

There is an extension called Flask-oldsessions if you're interested, but
from what I can tell the improved safeguards are worth the extra
implementationg.


On Mon, Aug 19, 2013 at 5:59 AM, Robert Shady <rshady@michnap.net> wrote:

> I updated our development server and related packages and it broke soo
> much stuff, I'm now going
> thru and trying to fix it.
>
> One of the things that "broke" was setting cookies to an Integer value.
>  Now I know technically this
> isn't broke, as apparently all cookies are supposed to be String values in
> the first place, but it was
> allowed in previous versions and worked as expected.
>
> Something else that "broke" in the newer versions, and I just wanted to
> clarify (I'm guessing this
> has something to do with the cookies as a string thing again) is the
> ability to set a session variable
> equal to a class.
>
> For example, let's say I had this:
>
> class User():
>     def __init__(self, id=None, name=None):
>         self.id = id
>         self.name = name
>
>
> Or whatever, you used to be able to do this…
>     session['user'] = user
>
> And then later in the code reference
>     session['user'].id
>
>
>
> But now when you try to do:
>     session['user'] = user
>
> It throws an exception saying it can't serialize json user.  It worked
> perfectly fine in older versions,
> and we were very excited about being able to store data structures across
> sessions.
>
> Now I understand there are work-arounds for both of these "problems", I
> just wanted to confirm
> my suspicions before setting out on that journey.
>
> Thanks!
> -- Rob
>
>