There should never be any information stored in a session cookie at all other than the name and session key. Anything else is bad security. Recommending parsing the putative JSON with regex is bad programming. Answering a PHP question with Python handwaving is bad forum participation.

There should never be any information stored in a session cookie at all other than the name and session key. Anything else is bad security.

Mojolicious has a different philosophy: its session data is actually stored in the session cookie, but it is cryptographically signed with the app's secret keystring to prevent tampering.

I am surprised to hear that. I can understand the functional benefit and the desire and effort to make it as secure as possible but I reject leaving data on the client and passing it in headers that have to go through various proxies and app forwarding and such especially where HTTPS is not completely enforced.

Mojolicious has a different philosophy: its session data is actually stored in the session cookie, but it is cryptographically signed with the app's secret keystring to prevent tampering.

Hi. A "signed cookies" feature does not constitute a "philosophy"

Also it is not an endorsement or suggestion on WHAT should be stored in cookies or how to use that information....

?? maybe related thoughts ??

https://tools.ietf.org/html/rfc7515

https://tools.ietf.org/html/draft-secure-cookie-session-protocol-02