Question posted in
The official documentation can be found here.

Is there any reason or advantage of using both session cookies and redis store for sessions

Context

In a flask app, we use a signed cookie (encoded JWT) for user data, however the amount of data has become too large to put in a cookie (specific permissions per item).

Here comes redis, instead of storing the permissions in the JWT and passing it back and forth, we’ll just keep it in redis.

My questions are

  1. Is there any advantage to having signed session cookies (encoded JWT) AND using redis to store other session information
  2. Is it better to implement the session logic yourself instead of using something like flask-session
Tags:

2

Answers


  1. 0

    JWT is mostly useful for distibuted applications where the token is generated and used by different applications. So, if all processing happens on a single backend, redis is more flexible.
    Implementing your own session logic is probably not a good idea, especially when the session is used for security purposes (authentication).

    Login or Signup to reply.
  2. 0

    Even you use Redis to store sessions you still need cookies since you will need to query by key and the key will be one the client side, in the cookie.

    You may just keep the identifier in the cookie but store the rest in redis and you get the details by that identifier.

    1. I think it would be secure to have some long, hard-to-know identifier as key instead of just some integer, or some arbitrary short text.
    2. I am not super familiar with flask but, the requirements for the session is almost same for the years(get, set, expire, delete) and probably that library supports all the requirements for session related use cases. I would go with the existing one instead of implementing new.
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search