Serialize YadisServiceManager instance before writing it to session dict
jgehrcke opened this issue · 5 comments
Here:
python-openid/openid/yadis/manager.py
Line 53 in 12efd78
the whole YadisServiceManager instance gets written into the session, which is a dict-like object. This basically requires the web framework writing this session data somewhere (e.g. to a cookie) to use pickle as serializer, while sometimes JSON or others might be desired.
In my special case (Flask + OpenID-ext + itsdangerous-ext) this lead to: <openid.yadis.manager.YadisServiceManager object at 0x9fa6f2c> is not JSON serializable during the authentication process.
Therefore, it would be nice to have the serialization/deserialization done by python-openid, so that it is possible for python-openid to store a string to the session, which should not break any storage backend. By doing so, one could consider only storing the relevant data, because pickling this whole object for sure brings along some overhead.
Thanks for consideration,
Jan-Philip Gehrcke
I also ran into this and worked around it by just pickling the session keys that python-openid added before encoding (and unpickling when loading): https://gist.github.com/1234843
Just ran into this same error in a Django 1.6 app.
Related: https://bugs.launchpad.net/django-openid-auth/+bug/1252826
Also having the same issue. It shows up in Django 1.6 because 1.6 moves away from using SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer' by default, which Django versions prior to 1.6 did. This serializer has a security hole, which means that using it as a workaround for this issue is undesirable.
Last year I was working on a project using python-openid and, after opening a few pull requests here, @willnorris gave me access to the repository.
Unfortunately I'm not working with python-openid anymore so I don't have time to address this and the other issues. As far as I know no one else is maintaining this library.
If someone create a pull request to fix this issue and others can test and vouch for it I will approve it.