在Flask会话中存储用户ID是否安全? [英] Is it safe to store User ID within the Flask session?

问题描述

我在网上找到了许多文章，说明Flask会话是安全的，而不是加密的.

I have found a number of articles online explaining that the Flask session is secured and not encrypted.

这意味着用户可以对Base64解码cookie并读取其中的值.

This means that users can Base64 decode the cookie and read the values inside.

在我的应用程序成功登录后，如果我的应用程序使用此会话cookie中的用户ID"值来验证用户身份，这是一个问题吗?

Is it an issue if my application uses the User ID value from this session cookie to authenticate the user after he successfully logs in?

如果我理解正确，则该用户将无法将其cookie值更改为另一个用户的ID，因为它是由服务器端的应用程序私钥签名的.正确吗?

If I understand correctly, the user will not be able to change his cookie value to an ID of another user, as it signed by the application private key on the server side. Is that correct?

如果是这样，使用基于Flask cookie的会话的安全内容是否存在任何问题，以允许用户访问应用程序的受保护视图?

And if so, are there any issues with using the secured contents of the Flask cookie-based session to allow users access to protected views of the application?

推荐答案

总结评论中给出的答案:

To summarise answers given in the comments:

• 可以篡改Cookie，但是如果启用了Flask会话安全性，则被篡改的会话将是 查看全文