Why store sessions on the server instead of inside a cookie?

前端 未结 4 423
闹比i
闹比i 2021-02-05 17:58

I have been using Flask for some time now and I am really enjoying the framework. One thing that I fail to understand is that in almost all other places they talk about storing

相关标签:
4条回答
  • 2021-02-05 18:21

    Even if your data is encrypted, the user could still roll back their cookie to a previous state (unless you start encoding one-time IDs etc)

    e.g. cookie says the user has 100 credits, user spends 100 credits, they get a new cookie saying they have 0 credits. They could then restore their previous cookie (with 100 credits).

    Depending how you encrypt the cookie, the user may also be able to delete keys, insert bogus data etc too.

    0 讨论(0)
  • 2021-02-05 18:24

    If the session data is needed at the server, it makes sense to store it at the server. It keeps down the data bulk sent back and forth from the client. Also, cookies have a limit on the amount of data they can store.

    0 讨论(0)
  • 2021-02-05 18:41

    In addition to the points already mentioned above

    1. Users can disable cookies using their browser settings. A lot of antivirus scanners also scan and flag cookies as a risk because of which which can also result in cookies not being allowed on the users computer.

    2. Cookies can be deleted by the user even in the middle of his session. (In fact, i inadvertently did that the other day when one my PC scans listed the tracking cookies...and i just clicked "Clean" and they were all gone). In case the user happens to delete the cookies, the users state will be lost.

    If you use cookies to manage the entire state, you are always dependant on the client environment and its settings. In as such, you will probably atleast need a fall back mechanism in case the cookies are deleted / disabled etc in order for your application to work correctly.

    0 讨论(0)
  • 2021-02-05 18:43

    The SecureCookie implementation Flask uses does not encrypt the values. The only thing that is being ensured is that the user cannot modify the cookie without knowing the secret used by the application.

    0 讨论(0)
提交回复
热议问题