Rebase on server side session?

[roll]

Overview

For now we use http://flask.pocoo.org/docs/0.12/quickstart/#sessions which I suppose could be read by client (readable but signed). Also there is a size limit.

[pwalsh]

Putting on backlog. I've not had a problem with Flask's cookie sessions before, even in quite strict deployment/qa scenarios. Happy if the team prefer to move to DB sessions, but not critical for now as long as we use secure cookies.

[roll]

@pwalsh @amercader For now we store sensitive information inside the session - so my main concern is that fact.

In addition to the request object there is also a second object called session which allows you to store information specific to a user from one request to the next. This is implemented on top of cookies for you and signs the cookies cryptographically. What this means is that the user could look at the contents of your cookie but not modify it, unless they know the secret key used for signing.

http://flask.pocoo.org/docs/0.12/quickstart/#sessions

If I read it correct (and JWT has the same concept - open to read, close to write) - it's a priority problem.

[pwalsh]

Why do we store sensitive info in the session? Let's discuss on Slack.