Open jcmfernandes opened 1 month ago
I've merger your other PR.
I'm a big fan of symbolic keys if the keys don't represent arbitrary user data, so I'd support the JSON decoder using symbolize_names
or similar approaches.
I think we can gracefully introduce support using a flag or option, or deprecation warnings, or as you say, a major version bump.
Do you mind rebasing on main?
This is a follow-up on #39 that must be merged first.
I deliberately avoided allowing
Marshal
serialization in the v2 encryptor because 1)Marshal
has been a source of RCE vulnerabilities and 2) serializing messages as JSON allows for better interoperability, making it trivial to access sessions created with rack-session in other languages.However, it's impossible to swap
Marhal
withJSON
without breaking users' code that relies onMarhal
behavior thatJSON
doesn't mimic (e.g., preserving ruby symbols).So... I see 3 ways forward:
1) We close this PR and release yet another major 2) We close this PR and make v2 opt-in instead of the default 3) We merge this PR
Happy to hear some feedback.