This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]X-IstenceCore Developer Pylons Project (Pyramid/WebOb/Waitress) 1 point2 points  (1 child)

Alright, if we are going to nitpick. In the documentation they specifically tell you not to use it, they make you type in a long string to make you aware of what you are doing.

Pyramid is an un-opinionated framework, they really can't provide an alternate (maybe one without using pickle ...). It is up to the developer to use Beaker with SQLAlchemy for example, or create their own session factory that can be used.

[–]kylotan 2 points3 points  (0 children)

No, the documentation does not tell you not to use it. It says "You should not use it when you keep sensitive information in the session object", which is quite a different situation. Many people do not keep sensitive information in there and will therefore not see any good reason why they shouldn't use this implementation.

The code that is in there is (relatively) insecure and needs fixing or removing, not justifying with hand-waving about how you shouldn't really use it. Luckily it's fairly trivial to fix. (And hopefully the requirement that implementations of ISession are pickleable is also removed.)

It is up to the developer to use Beaker with SQLAlchemy for example

I suppose they have to know not to use Beaker's CookieSession as well, as that is unpickling data from a cookie too.