In session-based authentication, when the user logs in for the first time, the user details are set in the session of the application's server side and stored in a cookie on the browser. After that, when the user opens the application, the details stored in the cookie are used to check against the session, and the user is automatically logged in if the session is alive.
SECRET_KEY is an application configuration setting that should always be specified in your application's configuration; otherwise, the data stored in the cookie as well as the session on the server side will be in plain text, which is highly insecure.
We will implement a simple mechanism to do this ourselves.
The implementation done in this recipe is designed to explain how authentication works at a lower level. This approach should not be adopted in any...