Hi everyone,

I have started working with Flask in the last month and I noticed that there could be an improvement on secret key managment for sessions; specifically I am taking as reference OWASP Top 10 Cryptographic Failures on the point where it talks about the importance of proper key managment (that isn't flask responsibility) and rotation.

I saw that there is a closed issue on that topic, however that was from 10 years ago, a lot of time passed so I thought it would be a nice thing pointing that out; I understand that this implies session invalidating when the secret key changes, but I think that this could be a choice left to developers based on security requirements of the specific system, therefore adding more flexibility.

If I am wrong in any way or it isn't feasible I hope that someone can provide me a good explanation about why.