-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the JSONSerializer to be used as a session serializer #435
Conversation
As of Django 4.1, the PickleSerializer has been deprecated and will be removed in Django 5.0. In order for the JSONSerializer to be used, we need to avoid persisting objects, like the Connector, directly in the session. This commit transitions use of the Connector to a persist and rehydration strategy similar to how the Django authentication middleware handles model objects. It is also consistent with how we handle our own Server pseudo model object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From a pure code review, the proposed changes make sense and replace the direct storage of Connector
objects within the Django session by a dictionary representation and associated serialization/deserialization methods. This should allow the session to remain serializable both with the current PickleSerializer
and the JSONSerializer
.
From a consumer perspective, any downstream implementation which was directly assigning and/or retrieving request.session["connector"]
would now need to update their codebase and use the new methods as done in this PR.
I did not find any explicit specification of the data stored in OMERO.web sessions either in https://omero.readthedocs.io/en/stable/ or in the docstrings. Additionally this change is motivated by the deprecation, and the upcoming removal, of the default session serialization mechanism in Django for security reasons. Similarly to how we have treated similar changes in the past e.g. the upgrade to Django 3.2, this might not justify to increment the major version of OMERO.web. However, we should definitely treat it as such in terms of documentation and be upfront about the implications for consumers.
I will test the PR in various configurations and report in the upcoming days.
Yes, it's a breaking change.
The main reason I opened this now is that we also have #433 open which is going to require a major version update and an upgrade guide exactly like what we did for Django 3.2. |
I'm getting the following error when trying to start omero web with
I'm on Ubuntu 20.04 and have |
It looks like my issue was stemming from existing sessions in the |
Tested the following:
|
Thanks, @kkoz. I had similar We have our own version of Footnotes |
I re-tested using |
omeroweb/settings.py
Outdated
"django.contrib.sessions.serializers.PickleSerializer", | ||
str, | ||
( | ||
"You can use the this setting to customize the session " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"You can use the this setting to customize the session " | |
"You can use this setting to customize the session " |
Outline
As of Django 4.1 1, the
PickleSerializer
has been deprecated and will beremoved in Django 5.0. The next Django LTS (4.2) which we would likely support
is scheduled to be released in April 2023. In order for the
JSONSerializer
to be used,get ahead of this deprecation and prepare our userbase for the change we need
to avoid persisting objects, like the
Connector
, directly in the session.This PR transitions use of the
Connector
to a persist andrehydration strategy similar to how the Django authentication
middleware handles model objects. It is also consistent with how we
handle our own
Server
pseudo model object.In addition, the
SESSION_SERIALIZER
Django setting has been movedto an OMERO.web configuration property (
omero.web.session_serializer
) andleft defaulting to the
PickleSerializer
. When using Redis via the cached sessionengine the
PickleSerializer
is used by default regardless of whatSESSION_SERIALIZER
is set to.Testing
OMERO.web in its default configuration (
SESSION_ENGINE=omeroweb.filesessionstore
and
SESSION_SERIALIZER=django.contrib.sessions.serializers.PickleSerializer
)functionality should remain completely unchanged. Particular attention should be
paid to the login, public user, and
bsession
workflows.With
SESSION_SERIALIZER=django.contrib.sessions.serializers.JSONSerializer
functionality should remain completely unchanged.
With
SESSION_ENGINE=django.contrib.sessions.backends.cache
and
SESSION_SERIALIZER=django.contrib.sessions.serializers.PickleSerializer
againfunctionality should remain completely unchanged.
With
SESSION_ENGINE=django.contrib.sessions.backends.cache
and
SESSION_SERIALIZER=django.contrib.sessions.serializers.JSONSerializer
thecache itself will need to be configured to use a JSON serializer separately.
For
django-redis
this can be achieved by configuration such as:Footnotes
https://docs.djangoproject.com/en/4.1/releases/4.1/#id2 ↩