Clarification Needed on Session Handling and Encryption in Flask

[CFIALeronB]

@rngadam I'd like to clarify some details about Flask's session handling:

1. Session ID Storage:

• The session ID is saved as a cookie on the client side.
• This ID is cryptographically signed but not encrypted. It means users can view the data but can't tamper with it due to the signature.
• This session ID acts more as a reference or pointer to the actual session data stored on the server-side.

2. Server-Side Session Storage:

• When using the filesystem storage mode for sessions, a file is created on the server with a filename that corresponds to the session ID.
• The content of this file consists of serialized session data.

3. Request-Response Cycle:

• For incoming requests that contain a session cookie, the Flask app matches the session ID from the cookie to the corresponding file in the server's filesystem.
• It then reads and deserializes the session data from that file to access the session information.

Given the above, it's worth noting that while the session ID cookie is signed, preventing tampering, it is not encrypted. This means users can potentially read the ID thus any sensitive data shouldn't be stored directly in the session unless further encryption measures are employed.

[rngadam]

So as long as we rely exclusively on the server-side information associated to that particular cookie-stored session identifier?

Off the top of my head:

• PLUS: it might be helpful for debugging purposes to be able to read the session information
• PLUS: louis-login-frontend could display information from the session too
• CON: this is somewhat error-prone and likely to lead to unintentional bugs where we accidentally rely on a browser provided information
• CON: someone with access to the browser (on a shared computer for example) could read that potentially private information
• CON: it requires us to store and manage state on the server

How hard is it to just encrypt the JWT token with the louis-login-backend key and have it stored in the cookie always, decrypting and reading only from that?