> You are not saving anything there. A session should really only contain user id.
So it looks like Flask is using something that just deliberately runs pickled strings. Even if I know my own secret key, I don't exactly need to be able to send myself arbitrary code. So JSON seems to make sense to me for my use cases.
pickle.loads("cos\nsystem\n(S'whoami'\ntR.")
Right.. so anyway, does anyone know which session engine I want to use with Flask if I want to generate a token for a user's session, which I can then later revoke if I end up hating that user's session but not two other sessions?
It should be noted that the maintainer knows this, but has commented that he cannot change the default to json because folks are still storing non-json-safe data.
This is the right decision (for now). Otherwise, we'd see a "flask just broke everyone's apps" story on the front page.
Why do people keep doing these things in new frameworks? It has been known that it is not secure to receive pickles from clients for many years and yet the same mistake keeps being repeated.
So it looks like Flask is using something that just deliberately runs pickled strings. Even if I know my own secret key, I don't exactly need to be able to send myself arbitrary code. So JSON seems to make sense to me for my use cases.
Right.. so anyway, does anyone know which session engine I want to use with Flask if I want to generate a token for a user's session, which I can then later revoke if I end up hating that user's session but not two other sessions?