Flask: Add a tool to decode session cookie

Created on 26 Dec 2018  路  8Comments  路  Source: pallets/flask

Hi, all. I have a feature request that I've been thinking about for a while. Some times I want to look at what is in the session cookie. Obviously one way to do that is by logging the cookie at various points in your server-side code. But some times I want to inspect the cookie outside of the application, directly from the browser. There are various ways of doing this (1, 2, 3). But it requires defining a snippet of code each time you want to do it.

That said this feature request is to add in a utility, perhaps a CLI tool that decode a session cookie, e.g.:

$ flask decode <cookie-from-browser>

This would prevent users from needing to define this snippet each time, and provide an easy to use interface. I'm curious to hear what others think and if this is indeed a feature that the community thinks will be useful.

picture wgwz

Most helpful comment

This will be my last comment in this thread. I've changed the name of the project to "flask-cookie-decode".

  1. https://github.com/wgwz/flask-cookie-decode
  2. https://pypi.org/project/flask-cookie-decode/
  3. https://flask-cookie-decode.readthedocs.io/en/latest/index.html
picture wgwz on 31 Dec 2018
2

All 8 comments

Hi @wgwz, I hope you are doing well!

This would also work well as an extension to Flask, so I would just implement it, if anything just to see a running prototype. The command could not only decode the session but also validate the signature, since it would be running under a Flask app context with access to the secret key.

miguelgrinberg picture miguelgrinberg on 26 Dec 2018

Hey @miguelgrinberg, I'm doing alright :-)

Put something together for this, any feedback is appreciated:
https://github.com/wgwz/flask-decode

The documentation is light so far, see here: https://github.com/wgwz/flask-decode/blob/master/flask_decode/flask_decode.py#L36-L50

wgwz picture wgwz on 30 Dec 2018

Added some documentation: https://flask-decode.readthedocs.io/en/latest/readme.html

wgwz picture wgwz on 30 Dec 2018

Thanks for working on this. I also feel that it's more appropriate as a separate extension. I'd recommend calling this Flask-Decode-Cookie or something else more specific.

davidism picture davidism on 31 Dec 2018

@wgwz looks good! You may also consider showing the contents of the session cookie when the signature does not validate, while of course noting this as a potential problem.

miguelgrinberg picture miguelgrinberg on 31 Dec 2018
👍1

@davidism and also to others, how important do you think the name change is? i should have asked for thoughts on the name before i set everything up. it won't be too hard to change but if it's something that's not too important, i might just want to leave as is.

wgwz picture wgwz on 31 Dec 2018

To me, both the package and command names don't say what they're decoding, and there are lots of things that could be decoded.

davidism picture davidism on 31 Dec 2018
👍1

This will be my last comment in this thread. I've changed the name of the project to "flask-cookie-decode".

  1. https://github.com/wgwz/flask-cookie-decode
  2. https://pypi.org/project/flask-cookie-decode/
  3. https://flask-cookie-decode.readthedocs.io/en/latest/index.html
wgwz picture wgwz on 31 Dec 2018
2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

xliiv picture xliiv  路  3Comments
westonplatter picture westonplatter  路  3Comments
ghost picture ghost  路  3Comments
lnielsen picture lnielsen  路  3Comments
sungjinp11 picture sungjinp11  路  3Comments