• 我不认为你必须无论如何，担心cookie的大小不能存储超过4KB的数据。我非常怀疑你会得到任何接近于此的容易。
  

• 它与其他会话一样安全，因为您可以采取 PHPSESSID cookie到其他浏览器，就像你可以这样做。没有什么阻止它。但是，这个问题有一些解决办法，你可以在时间限制之后过期。例如，请参阅这个问题。关于这个问题，这个问题很有用。

.pocoo.org / snippets / 86 /rel =nofollow noreferrer>数据库会话，如果你愿意的话。我确信还有其他的实现可以找到。

编辑： 这里有一些其他的。

Starting to learn Python's Flask web app framework, still on the learning curve, so please bear with me.

I am wondering how appropriate are the client-side sessions for secure web application purposes. From what it seems, there are some serious concerns:

• Since all the session variables are serialized and encoded in a cookie one should be careful with how much data they store there, in order to keep the size of http data travelling back and forth in reasonable size.
• I'm not sure if identical key/value sets have identical serialized values, but if I'd fetch and store a cookie value in one session, can't I feed the same, albeit encrypted, value back in another session in another time, and make the server believe those are genuine session variable values? What user is allowed to do in one day doesn't mean the same thing is allowed another day. And if those session variable values have to be secure-proofed all the time, what good is from keeping them "in cache" at all? Then they serve little more purpose than letting us to use pretty GET URLs (ie, instead of ugly query string with some parameters)

So, perhaps the answer I am looking for, is the limits of Flask client-side sessions, considering possible man-in-the-middle attack (for non-secure http sessions, of course) or advanced malicious user who stores the cookie values for relaying them back at later time.

• I don't think you have to worry about the size as a cookie can't store more than 4KB of data anyway. I highly doubt you'll get anywhere close to that easily.

• It's just as secure as other sessions, as in you can probably take the PHPSESSID cookie to some other browser and have it work just as you can do it with this. Nothing prevents it. However there are workarounds this issue, you can have it expire after a time limit. See this question for example. It has useful answers regarding this issue.

You can always use a database session if you so desire. I'm sure there are other implementations you can find too.

Edit: Here are some others.