flask-cookie-decode ###################
.. list-table::
* - .. image:: https://github.com/wgwz/flask-cookie-decode/actions/workflows/action.yml/badge.svg
:target: https://github.com/wgwz/flask-cookie-decode/actions
:alt: Github Build Status
* - .. image:: https://readthedocs.org/projects/flask-cookie-decode/badge/?version=latest
:target: https://flask-cookie-decode.readthedocs.io/en/latest/?badge=latest
:alt: Documentation Status
.. contents::
.. section-numbering::
Adds a cookie command to the built-in Flask CLI which will provide various
tools for debugging the secure session cookie that Flask uses by default.
flask cookie decode: decodes and verifies the signature of the session cookieBy default the Flask session uses a signed cookie to store its data. The Flask
application signs the cookie using its SECRET_KEY. This provides the Flask
application a way to detect any tampering to the session data. If the application
is indeed using a secret key and secure hashing algorithm, the session signature
will be unique to application.
For more on the topic of the Flask session see these references:
How Secure Is The Flask User Session?_Quickstart for Flask Sessions_API Docs for Flask Sessions_.. _How Secure Is The Flask User Session?: https://blog.miguelgrinberg.com/post/how-secure-is-the-flask-user-session
.. _Quickstart for Flask Sessions: http://flask.pocoo.org/docs/1.0/quickstart/#sessions
.. _API Docs for Flask Sessions: http://flask.pocoo.org/docs/1.0/api/#sessions
.. _Flask Session Cookie Decoder: https://www.kirsle.net/wizards/flask-session.cgi
If you expose this key your application becomes vulnerable to session replay
attacks. Here is an example_ where an application exposed the SECRET_KEY
during 404 errors. The example also illustrates how session replay works.
By default Flask does not expose the SECRET_KEY anywhere. It is up to you
the developer to keep it that way!
.. _Here is an example: https://terryvogelsang.tech/MITRECTF2018-my-flask-app/
.. code-block:: bash
$ pip install flask-cookie-decode
.. image:: https://raw.githubusercontent.com/wgwz/flask-cookie-decode/master/docs/cookie.png :alt: Finding the cookie in browser tools :width: 100% :align: center
See examples/app.py <https://github.com/wgwz/flask-cookie-decode/blob/master/examples/app.py>_:
.. code-block:: python
from flask import Flask, jsonify, session, request
from flask_cookie_decode import CookieDecode
app = Flask(__name__)
app.config.update({'SECRET_KEY': 'jlghasdghasdhgahsdg'})
cookie = CookieDecode()
cookie.init_app(app)
@app.route('/')
def index():
a = request.args.get('a')
session['a'] = a
return jsonify(dict(session))
This extension will ship two CLI interfaces for dealing with decoding cookies. One requires a Flask application instance for the application you are wanting to debug. This method has the added benefit that the signature of the cookie can be verified, as your application instance has the SECRET_KEY used to sign the cookie. This method returns decoded cookie objects which can be seen in the examples below. This method can return a few different types of cookie objects depending on the state of the cookie. Please keep in mind that this extension provides only a thin-wrapper around the logic Flask uses to deal with cookies.
The second CLI interface is a tool for decoding cookies without the app secret. It cannot validate the signatures on the cookies or check the expirations and does not require the application instance like the other CLI. Intended for debugging purposes only.
CLI attached to application instance
1. A cookie with a valid signature:
.. code-block:: bash
$ export FLASK_APP=app.py
$ flask cookie decode eyJhIjoiYXNkYXNkamtqYXNkIn0.XCkk1Q.tTPu2Zhvn9KxgkP35ERAgyd8MzA
TrustedCookie(contents={'a': 'asdasdjkjasd'}, expiration='2019-01-30T20:04:37')
2. A cookie with an invalid signature:
.. code-block:: bash
$ export FLASK_APP=app.py
$ flask cookie decode eyJhIjoiYXNkYXNkamtqYXNkIn0.XCkk1Q.tTPu2Zhvn9KxgkP35ERAgyd8MzA
UntrustedCookie(contents={'a': 'asdasdjkjasd'}, expiration='2019-01-30T20:04:37')
3. An expired cookie:
.. code-block:: bash
$ export FLASK_APP=app.py
$ flask cookie decode eyJhIjoiYXNkYXNkamtqYXNkIn0.XCkk1Q.tTPu2Zhvn9KxgkP35ERAgyd8MzA
ExpiredCookie(contents={'a': 'asdasdjkjasd'}, expiration='2019-01-30T20:04:37')
CLI that ships with package which only decodes
.. code-block:: bash
$ fcd decode eyJhIjoiYXNkYXNkamtqYXNkIn0
{
"a": "asdasdjkjasd"
}
Docs <https://flask-cookie-decode.readthedocs.io/en/latest/>_
MIT <https://github.com/wgwz/flask-cookie-decode/blob/master/LICENSE>_.
History #######
.. towncrier release notes start
fcd client now handles compressed cookies. (#10)fcd CLI for reading cookies without a flask app. (#8)In all previous releases the CLI with the --timestamp CLI flag was actually
returning the timestamp when the cookie was signed. Not the timestamp when the
cookie expires, as it should have been doing.
In all previous releases there was no error handling for expired cookies. This
release now returns a ExpiredCookie when it is detected. (#1)
FAQs
Tools for debugging and working with the built-in Flask session cookie
We found that flask-cookie-decode demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.