> > True. There is an important difference in that the session could be > in a know state hence the secret could be guessed with a lot less > effort. >
I believe the session content is being encrypted with AES, which as far as I know is not vulnerable to known plaintext attacks. In any case, the exact plaintext won't be known and at best might be guessed. Note, Flask doesn't even encrypt the cookie content -- it just signs the cookie with a hash of the content so it can't be modified (see http://flask.pocoo.org/docs/api/#sessions and http://werkzeug.pocoo.org/docs/contrib/securecookie/). I think it just uses a single secret key as well. Anthony
