python-openid icon indicating copy to clipboard operation
python-openid copied to clipboard

Published 20 hours ago verified publisher icon openid

Serialize YadisServiceManager instance before writing it to session dict

Open jgehrcke opened this issue 13 years ago • 4 comments

Here:

https://github.com/openid/python-openid/blob/12efd783e7b58aa72aff8feaff54bed1c133a3f9/openid/yadis/manager.py#L53

the whole YadisServiceManager instance gets written into the session, which is a dict-like object. This basically requires the web framework writing this session data somewhere (e.g. to a cookie) to use pickle as serializer, while sometimes JSON or others might be desired.

In my special case (Flask + OpenID-ext + itsdangerous-ext) this lead to: <openid.yadis.manager.YadisServiceManager object at 0x9fa6f2c> is not JSON serializable during the authentication process.

Therefore, it would be nice to have the serialization/deserialization done by python-openid, so that it is possible for python-openid to store a string to the session, which should not break any storage backend. By doing so, one could consider only storing the relevant data, because pickling this whole object for sure brings along some overhead.

Thanks for consideration,

Jan-Philip Gehrcke

jgehrcke avatar Jul 08 '11 16:07 jgehrcke

I also ran into this and worked around it by just pickling the session keys that python-openid added before encoding (and unpickling when loading): https://gist.github.com/1234843

lerouxb avatar Sep 22 '11 14:09 lerouxb

Just ran into this same error in a Django 1.6 app.

Related: https://bugs.launchpad.net/django-openid-auth/+bug/1252826

scribu avatar May 19 '14 08:05 scribu

Also having the same issue. It shows up in Django 1.6 because 1.6 moves away from using SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer' by default, which Django versions prior to 1.6 did. This serializer has a security hole, which means that using it as a workaround for this issue is undesirable.

adam-thomas avatar May 22 '14 15:05 adam-thomas

Last year I was working on a project using python-openid and, after opening a few pull requests here, @willnorris gave me access to the repository.

Unfortunately I'm not working with python-openid anymore so I don't have time to address this and the other issues. As far as I know no one else is maintaining this library.

If someone create a pull request to fix this issue and others can test and vouch for it I will approve it.

rodrigoprimo avatar May 28 '14 12:05 rodrigoprimo

This repo is being archived. Closing issue.

timcappalli avatar Jul 24 '23 17:07 timcappalli