summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2015-08-27 09:55:53 -0400
committerTim Graham <timograham@gmail.com>2015-08-27 10:00:18 -0400
commit956df84a613d4b9a92c979e46557243d288282c8 (patch)
tree90e1eb12e3272f45d62d72104370196200af14ec /docs
parente8cbc2b322d873a6fe39faca18d340ce93035087 (diff)
Removed historical note about session serialization.
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/http/sessions.txt32
1 files changed, 13 insertions, 19 deletions
diff --git a/docs/topics/http/sessions.txt b/docs/topics/http/sessions.txt
index 36c504ba40..3a825f28cb 100644
--- a/docs/topics/http/sessions.txt
+++ b/docs/topics/http/sessions.txt
@@ -319,28 +319,22 @@ You can edit it multiple times.
Session serialization
---------------------
-Before version 1.6, Django defaulted to using :mod:`pickle` to serialize
-session data before storing it in the backend. If you're using the :ref:`signed
-cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is
-known by an attacker (there isn't an inherent vulnerability in Django that
-would cause it to leak), the attacker could insert a string into their session
-which, when unpickled, executes arbitrary code on the server. The technique for
-doing so is simple and easily available on the internet. Although the cookie
-session storage signs the cookie-stored data to prevent tampering, a
-:setting:`SECRET_KEY` leak immediately escalates to a remote code execution
-vulnerability.
-
-This attack can be mitigated by serializing session data using JSON rather
-than :mod:`pickle`. To facilitate this, Django 1.5.3 introduced a new setting,
-:setting:`SESSION_SERIALIZER`, to customize the session serialization format.
-For backwards compatibility, this setting defaults to
-using :class:`django.contrib.sessions.serializers.PickleSerializer` in
-Django 1.5.x, but, for security hardening, defaults to
-:class:`django.contrib.sessions.serializers.JSONSerializer` in Django 1.6.
-Even with the caveats described in :ref:`custom-serializers`, we highly
+By default, Django serializes session data using JSON. You can use the
+:setting:`SESSION_SERIALIZER` setting to customize the session serialization
+format. Even with the caveats described in :ref:`custom-serializers`, we highly
recommend sticking with JSON serialization *especially if you are using the
cookie backend*.
+For example, here's an attack scenario if you use :mod:`pickle` to serialize
+session data. If you're using the :ref:`signed cookie session backend
+<cookie-session-backend>` and :setting:`SECRET_KEY` is known by an attacker
+(there isn't an inherent vulnerability in Django that would cause it to leak),
+the attacker could insert a string into their session which, when unpickled,
+executes arbitrary code on the server. The technique for doing so is simple and
+easily available on the internet. Although the cookie session storage signs the
+cookie-stored data to prevent tampering, a :setting:`SECRET_KEY` leak
+immediately escalates to a remote code execution vulnerability.
+
Bundled Serializers
^^^^^^^^^^^^^^^^^^^