[Flask] Session question
Cameron Simpson
cs at cskk.id.au
Thu Apr 16 22:44:44 EDT 2020
On 17Apr2020 14:17, Richard Hector <richard at walnut.gen.nz> wrote:
>It appears that sessions are stored in a cookie/cookies in the browser,
>rather than just setting a random session id and storing in the database
>or whatever. I was under the impression (though I'm a web development
>newbie) that this wasn't considered best practice. Is there a way to
>change this behaviour, to store the session info server-side instead?
It depends what you do. The cookie side session is for state you need to
share with the browser anyway: the logged in user, or other
brwoser/client side data. Of course you should keep server-private data
on the server side.
So (a) there should be no "secrets" in the cookie side session data,
only data the browser app would already know and (b) the session cookie
is signed against a server side secret. That latter means that a hostile
browser/client cannot modify the session cookie and have the changed
believed by the server, because the cookie signature would then be
invalid.
So, yes, most state should be server side. The cookie session stuff is
for state the client needs to know anyway.
Cheers,
Cameron Simpson <cs at cskk.id.au>
More information about the Flask
mailing list