Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie should use itsdangerous for signing #6

Open
davidism opened this issue Feb 25, 2020 · 2 comments
Open

Cookie should use itsdangerous for signing #6

davidism opened this issue Feb 25, 2020 · 2 comments
Labels
enhancement New feature or request security Pull requests that address a security vulnerability
Milestone
1.0.0

Comments

@davidism
Copy link
Member

No description provided.

@davidism davidism added this to the 1.0.0 milestone Feb 26, 2020
@sblondon
Copy link
Contributor

If I understand well, you'd like secure_cookie.cookie.SecureCookie() uses itsdangerous.Signer() to serialize and unserialize the data.

The serialization algorithms are different in the two libraries so the current released version will not be compatible with the next version using itsdangerous.Signer(). Do you want to keep backward compatibility?
I think the backward compatibility is not important because the sessions have few days lifetime only but perhaps I miss something?

I'm interested to write a PR.

@davidism
Copy link
Member Author

Could probably add a fallback that tried the old algorithm if itsdangerous couldn't decode it. Issue a deprecation warning when that happens, to be removed in 1.1.

cc @xmo-odoo

This was referenced Apr 2, 2020
Merged
Open
@northernSage northernSage added enhancement New feature or request security Pull requests that address a security vulnerability labels Aug 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security Pull requests that address a security vulnerability
Milestone
1.0.0
Development

No branches or pull requests
3 participants
@davidism @sblondon @northernSage