Why store sessions on the server instead of inside a cookie?


I have been using Flask for some time now and I am really enjoying the framework. One thing that I fail to understand is that in almost all other places they talk about storing the session on the server and the session id on the client, which would then identify the session. However after using flask, I dont feel the need to do so. Saving the session as a cookie on the client cryptographically serves my purpose and seems quite secure too. The only thing being I am unable to encrypt the session keys for eg:

session['life'] = 'the great one'

would appear as

life='gfhjfkjdfa some encryption kj'

in the cookie saved on the client. But how would that matter as it is still encrypted. I am sure that people here know things much better than I do, so request someone to please clarify :-)

9/25/2011 1:33:01 AM

Accepted Answer

Even if your data is encrypted, the user could still roll back their cookie to a previous state (unless you start encoding one-time IDs etc)

e.g. cookie says the user has 100 credits, user spends 100 credits, they get a new cookie saying they have 0 credits. They could then restore their previous cookie (with 100 credits).

Depending how you encrypt the cookie, the user may also be able to delete keys, insert bogus data etc too.

10/16/2010 1:16:29 PM

If the session data is needed at the server, it makes sense to store it at the server. It keeps down the data bulk sent back and forth from the client. Also, cookies have a limit on the amount of data they can store.

Licensed under: CC-BY-SA with attribution
Not affiliated with: Stack Overflow