{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ゆ 、 Hurt° 的问题《Flask client-side sessions》','https://www.manongdao.com/q-421381.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Starting to learn Python's Flask web app framework, still on the learning curve, so please bear with me.
I am wondering how appropriate are the client-side sessions for secure web application purposes. From what it seems, there are some serious concerns:
- Since all the session variables are serialized and encoded in a cookie one should be careful with how much data they store there, in order to keep the size of http data travelling back and forth in reasonable size.
- I'm not sure if identical key/value sets have identical serialized values, but if I'd fetch and store a cookie value in one session, can't I feed the same, albeit encrypted, value back in another session in another time, and make the server believe those are genuine session variable values? What user is allowed to do in one day doesn't mean the same thing is allowed another day. And if those session variable values have to be secure-proofed all the time, what good is from keeping them "in cache" at all? Then they serve little more purpose than letting us to use pretty GET URLs (ie, instead of ugly query string with some parameters)
So, perhaps the answer I am looking for, is the limits of Flask client-side sessions, considering possible man-in-the-middle attack (for non-secure http sessions, of course) or advanced malicious user who stores the cookie values for relaying them back at later time.
I don't think you have to worry about the size as a cookie can't store more than 4KB of data anyway. I highly doubt you'll get anywhere close to that easily.
It's just as secure as other sessions, as in you can probably take the
PHPSESSIDcookie to some other browser and have it work just as you can do it with this. Nothing prevents it. However there are workarounds this issue, you can have it expire after a time limit. See this question for example. It has useful answers regarding this issue.You can always use a database session if you so desire. I'm sure there are other implementations you can find too.
Edit: Here are some others.