There should never be any information stored in a session cookie at all other than the name and session key. Anything else is bad security.

Mojolicious has a different philosophy: its session data is actually stored in the session cookie, but it is cryptographically signed with the app's secret keystring to prevent tampering.

I am surprised to hear that. I can understand the functional benefit and the desire and effort to make it as secure as possible but I reject leaving data on the client and passing it in headers that have to go through various proxies and app forwarding and such especially where HTTPS is not completely enforced.

I reject leaving data on the client and passing it in headers that have to go through various proxies and app forwarding and such especially where HTTPS is not completely enforced.

Sure, that's definitely a concern. Personally all I store in the session is some identifier, like the username, and keep the rest on the server. (I posted some sample code at 11114043 and 11114542).

I am surprised to hear that. I can understand the functional benefit and the desire and effort to make it as secure as possible but I reject leaving data on the client and passing it in headers that have to go through various proxies and app forwarding and such especially where HTTPS is not completely enforced.

But its not even "as secure as possible". The cookies are merely signed, they're not encrypted.

Mojolicious has a different philosophy: its session data is actually stored in the session cookie, but it is cryptographically signed with the app's secret keystring to prevent tampering.

Hi. A "signed cookies" feature does not constitute a "philosophy"

Also it is not an endorsement or suggestion on WHAT should be stored in cookies or how to use that information....

?? maybe related thoughts ??

https://tools.ietf.org/html/rfc7515

https://tools.ietf.org/html/draft-secure-cookie-session-protocol-02