Is Flask-Session logic similar to JWT

Question

I have a question about flasks session logic. First of all as I know there are two ways to store session data, one is on client side and the second is server side. Flask, as I know, is using the former one (client side) where the session is encrypted and stored on the browser of the client.

Let's us say we want to make a login on a flask-backend

1. User does a login, flask generates a session and through set-cookie the client stores the session
2. User makes another request to the backend and sends its cookies where also the session is stored and flask validates the session with the key which it used to encrypt the session
3. When the session is valid, flask loads the session, thus that means the user is logged in

And JWT works the following as I know. It generates a token and the client stores the token and sends it in each request to the server, where the token is validated.

As I know, both flask and JWT uses a secret to encrypt the data.

So can we say, that flask-session and JWT are somehow similar?

Answer 1

Both jwt and flask session work on client, but the key difference is that flask session stores the signed session data at the client cookie, but in jwt you have the independence to store the token anywhere you want, say localstorage, cookie etc.

And jwt will be base64 encoded by default while in flask session it has to be done manually for security. But yes the difference between traditional sessions (say php) and flask-sessions is that the session data is stored in the client rather than as a file at the server (while the client cookie has session id in traditional sessions).