Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

_create_identifier returns a value that is not serializable to JSON #31

jeremypenner opened this Issue Aug 13, 2012 · 5 comments


None yet
6 participants

After becoming aware that Flask, by default, pickles its session object, and thus is vulnerable to remote execution if someone discovers your secret key ( see http://stacksmashing.net/2012/08/10/dear-flask-please-fix-your-secure-cookies/ ), I tried to switch to using itsdangerous for session management as detailed at http://flask.pocoo.org/snippets/51/ .

Unfortunately, this fails, because _create_identifier returns the raw MD5 digest in bytes, which can't be represented as a Unicode string, and thus serialized to JSON. I can work around this with a custom serializer, but it would be nice if there were at least an option to base64 encode this value or something.


maxcountryman commented Aug 15, 2012

This definitely needs to be fixed. Thanks for pointing this out.

sederek commented Aug 18, 2012

Would changing line 136 with this help?

return hsh.hexdigest()

Or is it more than just this?


xsleonard commented Sep 5, 2012

@sederek yes thats all

Could we have an fix and a new release? This problem is a bit of a bummer if you want to use itsdangerous sessions.
Gist with the fix here: git://gist.github.com/3731115.git

maxcountryman added a commit that referenced this issue Sep 28, 2012

Merge pull request #37 from return1/hexdigest
_create_identifier now returns a JSON serializeable value, fixes #31

I also ran into this issue. My production environment only allows me to use the PyPi version, so I had to monkey patch _create_identifier in my "itsdangerous" session implementation (creepy, but works fine).

@ameily ameily referenced this issue Apr 4, 2013


New PyPi Release #59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment