Cookies vs Sessions
To keep users “logged in”, web apps maintain state across multiple requests.
HTTP is stateless, so the server needs a way to recognize a returning user.
Cookies (client-side)
A cookie is a small key/value pair stored in the browser and sent on every request to the same domain.
Common uses:
- session identifiers
- preferences (theme, language)
Security notes:
- cookies can be stolen if your site is not using HTTPS
- cookies can be modified by the client unless they’re signed/encrypted
Sessions (server-side concept)
A session is a server-side concept:
- store user state on the server
- keep only a session ID in the cookie
But Flask’s default session implementation is a bit different.
Flask’s default sessions are “secure cookies”
Flask stores session data in a cookie signed with SECRET_KEYSECRET_KEY.
Meaning:
- client can read it
- client cannot modify it without invalidating the signature
So Flask sessions are not “server-side storage” by default.
If you want server-side sessions, you typically use:
- Flask-Session (Redis, filesystem, etc.)
Practical takeaway
For many apps:
- Flask’s default securely-signed cookie sessions are fine
For high-security or large session data:
- use server-side session storage
Authentication (Flask-Login) typically uses:
- session cookie to remember a user id
If this helped you, consider buying me a coffee ☕
Buy me a coffeeWas this page helpful?
Let us know how we did