Also why would anyone store and read data like { 'groups': [...] } on the client-side?
Session cookies are supposed to be identifiers only, with the data stored server-side.
By default sessions in Flask are stored in plaintext:
> This is implemented on top of cookies for you and signs the cookies cryptographically. What this means is that the user could look at the contents of your cookie but not modify it, unless they know the secret key used for signing.
That's precisely why the cookie should just be an identifier, that you look up group info from the database. Because you can guarantee the cookie contents will be modified by someone at some point. Make it useful to you, useless to them.
ddorian43|1 year ago
> This is implemented on top of cookies for you and signs the cookies cryptographically. What this means is that the user could look at the contents of your cookie but not modify it, unless they know the secret key used for signing.
shakna|1 year ago
unknown|1 year ago
[deleted]