I am still a little confused about how you're pulling data from the cookies could you elabrote about the session_cart() method.

Clarifying the difference between Flask sessions and PHP sessions

Flask puts the data in the cookie; PHP generates a uniq ID and saves the to a directory on the server using that ID (IIRC: /var/lib/php/session/ID), and then puts the ID in the cookie.

PHP's is more *private* and can be *larger*, but is tied to a single server.

Why is session data stored client-side in cookies rather than server-side?

Easier to distribute across multiple servers; less disk or database I/O

I understand these benefits to this design:

"In a big organization, web traffic may be distributed across many servers, in which case the session information needs to be distributed, too. Flask's technique of putting session data in the cookie avoids this problem.

reading session files from disk: the data comes in with the request, so it's already in memory!
have session files accumulate on the server
moving sessions from one server to another (say for load-balancing): the session is in the cookie, so it doesn't matter what server responds to the request.deleting old, abandoned session files from the server"

But, also isn't it better for things to be in distributed systems though? When the info is distributed it is more fault tolerant with less reliance on one single server, so info can be recovered and retrieved, right? Or in this case we might be very reliant on the cookie itself?

Yes. I think you are arguing in favor of Flask's approach; aren't you?

But also, yes, we are dependent on the cookie. If it gets lost, the data (say the shopping cart) is gone. So, don't put critical information solely in the session.

Can we implement logout feature using Flask sessions?

For sure! Just remove the authentication info from the session. If the session has {user: ww123}, pop that info out of it.

This might be out of scope of the class, but what are some ways to minimize session hijacking?

Great question!

we should use HTTPS to avoid traffic being sniffed/intercepted.
avoid public Wi-Fi; use VPNs
we should avoid XSS (cross-site scripting attacks). Flask helps with this, but you can still make mistakes
we should avoid phishing and other kinds of attacks

None, I think I just need practice!

Have I got an exercise for you!