Cookies serializer improvements #13945
Conversation
|
Hey guys just a reminder, I don't think it's only flash messages that are broken (not accessible via symbols). But everything on the |
|
@huoxito I think the session object is already behaving like a HWIA by calling We should obviously fix the parts that Rails uses internally (flash, etc), but if you do We'll make sure this is documented by the end of this. |
|
Thanks @chancancode, this is awesome insight. When it comes to naming, maybe use special name for current JSON serializer, something like :safe_json (or other name other name connected to being safe / simple etc.). I will try to find out other things that could be affected by serializer changes. |
|
I like the idea of a hybrid serializer, 4.2 could default to that then 4.NEXT could switch to the pure json serializer. The hybrid serializer could take extra care to raise informative exceptions when people put in non-roundtrippable data structures. |
|
I thought about that, but that would still be a (subtle) breaking change, wouldn't it? (Because people might depends on non-primitives type in their apps.) I like the idea of more aggressively pushing this, but I am not sure if we can make it the default for existing apps. Once you switched to the hybrid serializer, it's kind of a one way street. On Tue, Feb 4, 2014 at 12:29 PM, Michael Koziarski
|
| @@ -588,6 +572,33 @@ end | |||
|
|
|||
| Note that while for session values you set the key to `nil`, to delete a cookie value you should use `cookies.delete(:key)`. | |||
|
|
|||
| Rails also provides a signed cookie jar and an encrypted cookie jar for storing | |||
| sensitive data. The signed cookie jar appends a cryptographic signiture on the | |||
…okies (currently failing)
Stringify the incoming as well to handle incoming symbol keys from marshalled sessions
Also added a `cookies_serializer.rb` initializer to the app template.
|
Alright, I think this is pretty much done 😄 The "Find out what else is broken by swapping the default serializers, then fix those." TODO is still open, because a lot of the tests are testing against the marshal serializer with hardcoded Marshal dumps =/ We should improve that going forward (because it means that a lot of tests aren't covering the JSON serializer – which became the new default now), but maybe we can probably do it post 4.1? |
|
|
||
| # Passing the NullSerializer downstream to the Message{Encryptor,Verifier} | ||
| # allows us to handle the (de)serialization step within the cookie jar, | ||
| # which gives us the opportunity to detect and migrate legacy cookies. |
There was a problem hiding this comment.
Why not have an explicit hybrid serializer and keep the \x04 stuff in there? have deserialize support both and serialize write json?
There was a problem hiding this comment.
It was changed in ead947a to enable automatica write-back.
Previously, I was passing a HybridSerializer downstream to the Message{Encryptor,Verifier}, however, if we want to actually migrate the cookie value on read (i.e. if I access cookies.signed[:some_key] it will re-write it as json), then it has to be done on the cookie jar level, because it needs access to []= on the cookie jar.
That is mainly to mirror the behaviour on the legacy cookie jar migration thing we did from 3.2 -> 4.0, and to more aggressively migrate legacy cookies.
If we don't care for that, it could be much simpler.
There was a problem hiding this comment.
For reference, this is the before code:
rails/actionpack/lib/action_dispatch/middleware/cookies.rb
Lines 387 to 397 in fafe8ec
There was a problem hiding this comment.
I see, if you can't piggyback on @set_cookies in the cookie jar then I guess this is the best way to handle it, does seem a bit janky is all
There was a problem hiding this comment.
Yeah, it's definitely a bit of a hack. I tried to come up with better ways to implement this, but I couldn't =/ The main problem is that if the deserialization is happening downstream, the cookie jar has no insight on whether a migration is necessary or not. If there are any suggestions over this I'd love to hear them 😄
Cookies serializer improvements
|
This is in 4-1-stable branch already and 4.1.0.rc1 was created from 4-1-stable branch 😁 what problem are you seeing? |
|
@guilleiguaran Nevermind. I removed my earlier comment. I was storing a HWIA in the session. Apparently I can no longer do that with the default JSON serializer. |
In rails 4.1 the default session serializer has been switched to a JSON serializer, which doesn't support serializing class. See rails/rails#13945 (comment)
In rails 4.1 the default session serializer has been switched to a JSON serializer, which doesn't support serializing class. See rails/rails#13945 (comment)
In rails 4.1 the default session serializer has been switched to a JSON serializer, which doesn't support serializing class. See rails/rails#13945 (comment)
HybridSerializer(need a better name): subclassJsonSerializerto transparently migrate existing marshalled cookies into JSON cookies (we can detect the marshal signiture "\x04\x08" and branch accordingly).