Mojolicious session have base64 string (in the begin, first part) and
sign (in the end, second part) which separated by "---".
Sign is main part of session which prevent from changes.
So, make a test:
Add to session some value. Make request which get this value in the
Get session and transform first part of them (make base64_decode and change
value then make base64_encode and put it before "--" in cookies).
Make query to server with new cookie/session. Your new data must be
invalid in session.
So, sign it is IMPORTANT part of session.
Read source code to learn more about it
Read this to know how to set secret key for sign cookies