Yeah, if it's AES, it would take at the least 100 years to crack (with 20,000 modern computers), and that's most likely longer than your web application is going to be running.
On Tuesday, June 12, 2012 6:07:06 AM UTC-7, Anthony wrote: > > True. There is an important difference in that the session could be >> in a know state hence the secret could be guessed with a lot less >> effort. >> > > I believe the session content is being encrypted with AES, which as far as > I know is not vulnerable to known plaintext attacks. In any case, the exact > plaintext won't be known and at best might be guessed. > > Note, Flask doesn't even encrypt the cookie content -- it just signs the > cookie with a hash of the content so it can't be modified (see > http://flask.pocoo.org/docs/api/#sessions and > http://werkzeug.pocoo.org/docs/contrib/securecookie/). I think it just > uses a single secret key as well. > > Anthony >
