When you decode any cookie (e.g. .eJwlzrkNwkAQAMBeLibY7z43Y-3tI0htHCF6xxLxJPMpex5xPsv2Pq54lP3lZSsdFxOCJWdgQEJdYNJ0yeCs7rcau0hI1qA6OkzkzoMBIbk18SSsuUBNPVS5LydAAxFX1IoqomlITDyVklImmndkG21KlDtynXH8N1S-P7i0LyI.XzztZw.69XSr95anbpcU_9uHkf9-HcQ4JQ ) and get the result (e.g.

{
"_fresh":True
"_id":"71b3210cf3fe1e0f05b0c46ab483f5ddb32c3d44e4f5e258709137383010f3664df215fb0acadeaa37bd201c044da1a51a44afc123239a2f2f491cd713c8694e",
"_user_id":"2"
}

), you might wonder what is the _id value.

Flask-Login/utils shows

session['_id'] = current_app.login_manager._session_identifier_generator()

and Flask-Login/login_manager shows

self._session_identifier_generator = _create_identifier

Flask-Login/utils contains _create_identifier function which creates sha512 based on User-Agent header and user's ip address. That is exactly the _id value.

For instance - if you pass 127.0.0.1 as an ip address and Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 as an User-Agent, script (and - as expected - itsdangerous) prints

eada87a072e4236c302afb2e76de3e40dc481f1dc60f0f081c2a83e8e60f976c69498fa934dce6e8b19650c2d367e64478b2dfccf4c7a025ec295ca6b2460a74

Check that with own Flask app 😄

🔥 Hint :

Create a simple endpoint:

@app.route('/show_session')
def show_session():
    return str(session.items())

and compare the obtained result with your cookie.

• Create an _id in cookie: edit remote_address and user_agent field (as string!) and type python3 create_cookie.py
• Decode cookie: edit cookie field (as string!) and type python3 decode_cookie.py
• Create whole cookie - use this tool

• itsdangerous

• Flask Session Cookie Decoder
• Encoding and decoding Flask-Login cookies