Sessions & Cookies

A session is a per-user store that remembers data across requests, and a cookie is the small piece of browser-stored data Flask uses to make that possible — together they're how a site keeps you logged in.

Learn Sessions & Cookies in our free Flask course — a beginner-friendly interactive lesson with worked examples, a practice exercise and a quick reference.

Part of the free Flask course at LearnCodingFast — hands-on lessons with examples you run in your browser, plus practice exercises and a quick quiz.

In this lesson you'll store data in the session object, read it back on later requests, set your own cookies directly, and understand why a secret_key is essential.

HTTP is stateless — each request arrives with no memory of the last one. The session object fixes that. It behaves like a dictionary you can write to in one request and read from in the next, scoped to a single user.

Because Flask stores the session in a signed cookie, you must set app.secret_key so users can't tamper with it. The example below logs a user in by saving their name to the session, then reads it back on the home page.

On the first request there's no session, so you see "You are not logged in." After visiting the login route, the session remembers the user and the home page greets them by name.

Logging a user out means removing their data from the session. Use session.pop("key", None) to drop a single value, or session.clear() to wipe everything.

The example below adds a logout route that clears the stored user and redirects home. After logout, the home page reports that nobody is signed in.

Sometimes you want a plain cookie rather than the session — for example to remember a theme preference. Build a response with make_response(...) , call response.set_cookie(name, value) , and read it later with request.cookies.get(name) .

The example below stores a theme cookie on one route and reads it back on another, returning the saved theme or a default.

Complete the visit counter below. Replace each ___ so it stores a count in the session and increments it on each request.

❌ RuntimeError: The session is unavailable because no secret key was set

You used session without a key. Set app.secret_key = "..." once after creating the app. Use a long, random value in production.

❌ My cookie or session "doesn't stick" between requests

Cookies are tied to the browser. Tools like curl drop them unless you tell them to persist. In tests, reuse one app.test_client() so cookies carry over like a real browser.

Build a protected page that only logged-in users can see.

Lesson 9 complete — your app can remember its users!

You stored and cleared data in the session , set and read raw cookies, and learned why app.secret_key keeps sessions safe.

🚀 Up next: Flask Blueprints — split a growing app into clean, reusable modules.

Practice quiz

How does the Flask session object behave in your code?

  • Like a file handle
  • Like a dictionary
  • Like a database cursor
  • Like a list

Answer: Like a dictionary. session behaves like a dictionary you read from and write to.

Where does Flask store the session data by default?

  • In a server-side file
  • In the URL
  • In a signed cookie
  • In a database table

Answer: In a signed cookie. Flask serializes the session into a signed cookie sent to the browser.

What must you set for sessions to work?

  • app.debug
  • DB

app.secret_key signs the session cookie; without it session use raises an error.

How do you safely read a session value with a default?

  • session.get("user")
  • session.read("user")
  • session.fetch("user")
  • session.value("user")

Answer: session.get("user"). session.get("user") returns the value or None/default if absent.

How do you remove a single value to log a user out?

  • session.delete("user")
  • session.pop("user", None)
  • session.remove("user")
  • del session

Answer: session.pop("user", None). session.pop("user", None) removes just that key.

Which call wipes everything from the session?

  • session.reset()
  • session.empty()
  • session.clear()
  • session.drop()

Answer: session.clear(). session.clear() removes all stored session data.

How do you set a cookie directly on a response?

  • request.set_cookie(...)
  • cookie.add(...)
  • session.cookie(...)
  • response.set_cookie(name, value)

Answer: response.set_cookie(name, value). Build a response with make_response and call response.set_cookie(name, value).

How do you read a cookie the browser sent back?

  • request.cookies.get("theme")
  • session.cookie("theme")

Answer: request.cookies.get("theme"). request.cookies.get("theme") reads an incoming cookie value.

Why does Flask sign the session cookie?

  • To compress it
  • So users can't tamper with its contents
  • To encrypt the database
  • To speed up requests

Answer: So users can't tamper with its contents. Signing lets Flask detect tampering with the cookie's contents.

What property of HTTP makes sessions necessary?

  • It is encrypted
  • It only supports GET
  • It is stateless — each request has no memory of the last
  • It caches everything

Answer: It is stateless — each request has no memory of the last. HTTP is stateless, so sessions add per-user memory across requests.