问题
I have found a number of articles online explaining that the Flask session is secured and not encrypted.
This means that users can Base64 decode the cookie and read the values inside.
Is it an issue if my application uses the User ID value from this session cookie to authenticate the user after he successfully logs in?
If I understand correctly, the user will not be able to change his cookie value to an ID of another user, as it signed by the application private key on the server side. Is that correct?
And if so, are there any issues with using the secured contents of the Flask cookie-based session to allow users access to protected views of the application?
回答1:
To summarise answers given in the comments:
- Cookie can be tampered with but if Flask session security is enabled, such tampered session will be thrown away, forcing the client to re-login
- The session data Base64-encoded within the cookie can be quite easily viewed. Therefore anything that your clients are not supposed to see should not be included there
来源:https://stackoverflow.com/questions/47514352/is-it-safe-to-store-user-id-within-the-flask-session