Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


_create_identifier returns a value that is not serializable to JSON #31

jeremypenner opened this Issue · 5 comments

6 participants


After becoming aware that Flask, by default, pickles its session object, and thus is vulnerable to remote execution if someone discovers your secret key ( see ), I tried to switch to using itsdangerous for session management as detailed at .

Unfortunately, this fails, because _create_identifier returns the raw MD5 digest in bytes, which can't be represented as a Unicode string, and thus serialized to JSON. I can work around this with a custom serializer, but it would be nice if there were at least an option to base64 encode this value or something.


This definitely needs to be fixed. Thanks for pointing this out.


Would changing line 136 with this help?

return hsh.hexdigest()

Or is it more than just this?


@sederek yes thats all


Could we have an fix and a new release? This problem is a bit of a bummer if you want to use itsdangerous sessions.
Gist with the fix here: git://


I also ran into this issue. My production environment only allows me to use the PyPi version, so I had to monkey patch _create_identifier in my "itsdangerous" session implementation (creepy, but works fine).

@ameily ameily referenced this issue

New PyPi Release #59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.