Explain why SESSION_USE_SIGNER might be needed

[klahnakoski]

Since the session data is stored on the server's side, I am at a loss why it would need to be signed. Please update the configuration doc (under SESSION_USE_SIGNER) with some reasoning.

Thank you

[frostming]

But the session id is transferred to client-side, and that is what the signer tries to encrypt.

[frostming]

Quoted from doc:

Whether sign the session cookie sid or not, if set to True, you have to set

[yrro]

The setting probably exists to remain compatible with Flask's built in session feature, which stores the session data in a cookie.

If you are using Flask-Session, you presumably trust your server-side session store and can get a tiny performance improvement by disabling SESSION_USE_SIGNER.