When you decode any cookie (e.g.
.eJwlzrkNwkAQAMBeLibY7z43Y-3tI0htHCF6xxLxJPMpex5xPsv2Pq54lP3lZSsdFxOCJWdgQEJdYNJ0yeCs7rcau0hI1qA6OkzkzoMBIbk18SSsuUBNPVS5LydAAxFX1IoqomlITDyVklImmndkG21KlDtynXH8N1S-P7i0LyI.XzztZw.69XSr95anbpcU_9uHkf9-HcQ4JQ
)
and get the result (e.g.
{
"_fresh":True
"_id":"71b3210cf3fe1e0f05b0c46ab483f5ddb32c3d44e4f5e258709137383010f3664df215fb0acadeaa37bd201c044da1a51a44afc123239a2f2f491cd713c8694e",
"_user_id":"2"
}
), you might wonder what is the _id
value.
Flask-Login/utils shows
session['_id'] = current_app.login_manager._session_identifier_generator()
and Flask-Login/login_manager shows
self._session_identifier_generator = _create_identifier
Flask-Login/utils contains _create_identifier
function which creates sha512
based on User-Agent
header and user's ip address. That is exactly the _id
value.
For instance - if you pass 127.0.0.1
as an ip address and Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
as an User-Agent
, script (and - as expected - itsdangerous
) prints
eada87a072e4236c302afb2e76de3e40dc481f1dc60f0f081c2a83e8e60f976c69498fa934dce6e8b19650c2d367e64478b2dfccf4c7a025ec295ca6b2460a74
Check that with own Flask app 😄
🔥 Hint :
Create a simple endpoint:
@app.route('/show_session')
def show_session():
return str(session.items())
and compare the obtained result with your cookie.
- Create an
_id
in cookie: editremote_address
anduser_agent
field (as string!) and typepython3 create_cookie.py
- Decode cookie: edit
cookie
field (as string!) and typepython3 decode_cookie.py
- Create whole cookie - use this tool
- itsdangerous