I am practicing site construction using flask, which is a web framework of python.

I have a question about session management.

1. 1. Where and how sessions are stored
2. For example, if you have two flask servers, is it possible to share a session between them?
3. 3. Is it possible for the user to peep into the contents of this session?

We would appreciate it if you could answer your question.

  • Answer # 1

    Flask standard session management

    All session variables are stored in the (user's) browser cookie.
    Session information is not retained on the server side.

    Multiple servers are the sameSECRET_KEYYou can share your session if you use.

    Is possible. Session variables are included in the cookie as Base64-encoded JSON objects.
    (If the data is large, it is JSON->zlib-compressed->Base64-encoded.)

    Using Flask-Session

    As mentioned above, Flask standard session management is easy but not secure.
    You can use Flask-Session to manage session variables on the server side.
    (Updates have been stagnant since 2017, but as of 2020, I think we can still recommend it.)

    Session variables can be saved in a file or DB by setting.

    If each server can access the session information saved in (1), it can be shared.

    Browser cookies do not contain session variables (contents).

    Manage session information yourself

    This is a way to increase security without using Flask-Session above.

    Do not store important information in session variables.

    The information you want to save in the sessionsessionManage by yourself without storing in. (Save in DB, etc.)

    It also sets the handling of session cookies securely.

    SESSION_COOKIE_HTTPONLYTrueSet to. (By defaultTrue)
    You can disallow reading from Javascript.

    SESSION_COOKIE_SECURETrueSet to. (Default isFalse)
    Limit the sending of cookies to HTTPS. Must be an HTTPS site.

    SESSION_COOKIE_SAMESITE'Lax'Set to. (Default isNone)
    You can disallow sending cookies across cross-origins.