• When you say session, does that include the user's interactions on the web app before logging in?

    By "session" I mean the data that is stored in the magic basket that goes back and forth between browser and server.

    So, if the session stores the series of interactions (which is not the default), that would be included. But that's unlikely.

    Though who knows what Google Analytics does.

  • What types of data can be stored in a Flask session? How do sessions handle large amounts of data?

    Anything that can be converted to text, so pretty much anything. But not too much. Don't try to save an image in a session, even if you encode it with UUEncode or Base64.

    To handle large amounts of data, such as a picture, store the picture on the server (in the database or in a regular file) and store an identifier (maybe a filename) in the session.

  • Is there a way to prevent a session from data loss if there's a timeout?

    Probably not.

    Don't put anything unrecoverable in a session. Login information is fine, because someone can always login again if the cookie expires or gets deleted. A shopping cart can be filled again.

    Can you think of anything that you would want to store in the session that might be unrecoverable?

  • Could you explain how the flash() function uses sessions to carry the flashed messages around from page to page?

    It stores them as a list in the session under a key. I think the key is something like _flashes or something like that.

  • Can we go over reasons not to use sessions again?

    Sure. The short list:

    1. tied to a server (not for Flask)
    2. performance of looking up session data given session ID (not for Flask)
    3. timeouts
    4. bookmarks (just a variation of timeout)
    5. hijacking (this is mostly obsolete, I think)
    6. security (don't store sensitive info any cookie, including Flask sessions)
  • Could you explain how sessions handle secrets after users log out?

    The app can clear any information from the session that should no longer be stored in the session. For example, someone's searches at a library kiosk, to preserve their privacy.

    Many apps, including Flask, store the session in a cookie that is only stored in memory, not on disk, which is why they say "for best security, close your browser". (Not that anyone ever does, or they "restore the session" when they restart.)

  • How is it possible that we able to store session data on a cookie when there is more session data than cookie size (the 10k vs 7k example in the reading)?

    Compression helps.

  • what is the longest possible time span of cookies?

    Unix max time, which is 03:14:07 UTC on 19 January 2038. See Year 2038 problem

    Though this post says Chrome now limits them to 400 days