I'm learning about sessions in Flask and in the documentation it says:
"Besides the default client-side based sessions, if you want to handle sessions on the server-side instead, there are several Flask extensions that support this."
https://flask.palletsprojects.com/en/2.0.x/quickstart/#sessions
What is the different between client-side based sessions and server-side?
CodePudding user response:
In addition to the
request
object there is also a second object calledsession
which allows you to store information specific to a user from one request to the next. This is implemented on top of cookies for you and signs the cookies cryptographically. What this means is that the user could look at the contents of your cookie but not modify it, unless they know the secret key used for signing.
So, the information is physically stored in the cookies, e.g. username=john
is the value that's stored in the cookie. That's a "client-side session". The problem with that, as explained above, is that the user can see that data, which is bad if you want to store secret data in the session. If you need that, you need server-side sessions where the data is actually stored server-side, and all the client sees is some random meaningless session id. The session id gets stored in the cookie, and the server looks up the actual session data based on that id somewhere in some database.
The advantage of client-side sessions is that the server is entirely stateless, i.e. it doesn't need to store any data itself. That means it doesn't need to do any database lookup to get the data, and you can—for example—run several independent servers in parallel without needing to worry about having a shared session store, which is great for scalability.
The advantage of server-side sessions is that you can store more data, as it doesn't need to be sent back and forth with every request, and that the data is not visible to the user.