diff options
| author | jonathan vanasco <jonathan@2xlp.com> | 2019-11-04 17:56:27 -0500 |
|---|---|---|
| committer | jonathan vanasco <jonathan@2xlp.com> | 2019-11-05 16:51:11 -0500 |
| commit | 3bc31c66c41f795abdaa270645f1046f70a86e07 (patch) | |
| tree | e10cbd7003f1ff37302245feb0133bf895f06465 /docs/narr | |
| parent | b6604fc39e542a78bc6cb4f009bf972ba4db098f (diff) | |
| download | pyramid-3bc31c66c41f795abdaa270645f1046f70a86e07.tar.gz pyramid-3bc31c66c41f795abdaa270645f1046f70a86e07.tar.bz2 pyramid-3bc31c66c41f795abdaa270645f1046f70a86e07.zip | |
fixed rst; migrated some inline references to the docs
Diffstat (limited to 'docs/narr')
| -rw-r--r-- | docs/narr/sessions.rst | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/docs/narr/sessions.rst b/docs/narr/sessions.rst index d9befec82..8ae20d63e 100644 --- a/docs/narr/sessions.rst +++ b/docs/narr/sessions.rst @@ -85,6 +85,12 @@ This is a stricter contract than the previous requirement that all objects be pi This is a backward-incompatible change. Previously, if a client-side session implementation was compromised, it left the application vulnerable to remote code execution attacks using specially-crafted sessions that execute code when deserialized. +Please reference the following tickets if detailed information on these changes is needed: + +* `2.0 feature request: Require that sessions are JSON serializable #2709 <https://github.com/pylons/pyramid/issues/2709>`_. +* `deprecate pickleable sessions, recommend json #3353 <https://github.com/pylons/pyramid/pull/3353>`_. +* `change to use JSONSerializer for SignedCookieSessionFactory #3413 <https://github.com/pylons/pyramid/pull/3413>`_. + For users with compatibility concerns, it's possible to craft a serializer that can handle both formats until you are satisfied that clients have had time to reasonably upgrade. Remember that sessions should be short-lived and thus the number of clients affected should be small (no longer than an auth token, at a maximum). An example serializer: |