Not compatible with the Django 1.6 default JSON_SESSION_SERIALIZER

Bug #1252826 reported by Tim Abbott
40
This bug affects 7 people
Affects Status Importance Assigned to Milestone
django-openid-auth
Confirmed
Undecided
Unassigned
python-django-openid-auth (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

In Django 1.6, the default session serliazer has been switched to one based on JSON, rather than pickles, to improve security. Django-openid-auth does not support this because it attemps to store content that is not JSON serializable in sessions. See https://docs.djangoproject.com/en/dev/releases/1.6/#default-session-serialization-switched-to-json for details on the Django 1.6 change.

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

I can confirm this. Traceback below:

Environment:

Request Method: GET
Request URL: http://127.0.0.1:8000/openid/login/

Django Version: 1.6
Python Version: 2.7.5
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django_openid_auth',
 'django.contrib.admin',
 'django.contrib.comments',
 'uploads')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware')

Traceback:
File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py" in get_response
  201. response = middleware_method(request, response)
File "/usr/lib/python2.7/dist-packages/django/contrib/sessions/middleware.py" in process_response
  38. request.session.save()
File "/usr/lib/python2.7/dist-packages/django/contrib/sessions/backends/db.py" in save
  57. session_data=self.encode(self._get_session(no_load=must_create)),
File "/usr/lib/python2.7/dist-packages/django/contrib/sessions/backends/base.py" in encode
  87. serialized = self.serializer().dumps(session_dict)
File "/usr/lib/python2.7/dist-packages/django/core/signing.py" in dumps
  88. return json.dumps(obj, separators=(',', ':')).encode('latin-1')
File "/usr/lib/python2.7/json/__init__.py" in dumps
  250. sort_keys=sort_keys, **kw).encode(obj)
File "/usr/lib/python2.7/json/encoder.py" in encode
  207. chunks = self.iterencode(o, _one_shot=True)
File "/usr/lib/python2.7/json/encoder.py" in iterencode
  270. return _iterencode(o, 0)
File "/usr/lib/python2.7/json/encoder.py" in default
  184. raise TypeError(repr(o) + " is not JSON serializable")

Exception Type: TypeError at /openid/login/
Exception Value: <openid.yadis.manager.YadisServiceManager object at 0x7fa43c0bea50> is not JSON serializable

Changed in django-openid-auth:
status: New → Confirmed
Revision history for this message
Mathieu Comandon (strycore) wrote :

I tried to write a patch for this but couldn't figure out how, I guess it has something to do with python-openid itself, not sure as I don't have a deep knowledge of this codebase.

Anyway, the best I could do was reverting to the old Pickle serializer as a workaround. I updated the test project accordingly on my branch : https://code.launchpad.net/~strycore/django-openid-auth/trunk

Btw, this branch contains other patches necessary to provide Django 1.6 compatibility.

Changed in python-django-openid-auth (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Dani Llewellyn (diddledani) wrote :

one potential fix is to follow https://github.com/openid/python-openid/blob/master/openid/consumer/consumer.py#L90 which suggests that it can work in stateless mode by passing `None` to the `Consumer` constructor instead of the django session.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers