Open CFIALeronB opened 1 year ago
So as long as we rely exclusively on the server-side information associated to that particular cookie-stored session identifier?
Off the top of my head:
How hard is it to just encrypt the JWT token with the louis-login-backend key and have it stored in the cookie always, decrypting and reading only from that?
@rngadam I'd like to clarify some details about Flask's session handling:
1. Session ID Storage:
2. Server-Side Session Storage:
3. Request-Response Cycle:
Given the above, it's worth noting that while the session ID cookie is signed, preventing tampering, it is not encrypted. This means users can potentially read the ID thus any sensitive data shouldn't be stored directly in the session unless further encryption measures are employed.