Closed klahnakoski closed 1 year ago
But the session id is transferred to client-side, and that is what the signer tries to encrypt.
Quoted from doc:
Whether sign the session cookie sid or not, if set to True, you have to set
The setting probably exists to remain compatible with Flask's built in session feature, which stores the session data in a cookie.
If you are using Flask-Session, you presumably trust your server-side session store and can get a tiny performance improvement by disabling SESSION_USE_SIGNER
.
Since the session data is stored on the server's side, I am at a loss why it would need to be signed. Please update the configuration doc (under SESSION_USE_SIGNER) with some reasoning.
Thank you