Why Is Flask-session In Plain Text?

I have a server-side session file created and I am new to web applications. I don't understand why the session files when opened with text file has plain content inside it. I have

Solution 1:

Trying to answer it to the best of my knowledge.

1) Why is the content not encrypted?

You do not really need to worry about the session stored in your server as long as your server is secured. The vulnerability is the session stored as cookies in the browser. To bypass that, the 'SECRET_KEY' is used to let the server sign the session variables before storing them in the browser. That is the reason why you might still see the session in plain text on the server. It will be signed in the browser cookie-data though.

2) When I do session.pop() why is the file not deleted?

To understand what the session.pop does, I did a little exercise. At first, my flask session looked like this:

Session is:  <SecureCookieSession {'id': '27260b14-405d-440a-9e38-daa32d9a7797', 'loggedin': True, 'username': 'Rajat Yadav'}>

When I pop all the keys in the session dict mapping, I am left with this:

New Session is:  <SecureCookieSession {}>

The clarity is that the key:value pair gets deleted as we pop the session. One thing for sure is that pop does not delete the complete dictinary object but just the key:value pair inside. To your question of the file not getting deleted, I believe deleting the dictionary object should do the trick. Try:

del session

Let me know if this deletes the file.