Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Flask sessions, where are the cookies stored?

Tags:

python

cookies

session

flask

I'm learning flask and want to understand how sessions work. Apparently the server stores a signed cookie on the client browser. I have done this process using 

sessions['mycookie'] = 'mycookievalue'

But I'm unable to find the cookie on the browser. I normally list cookies on the browser using chrome developer tools and running the command:

document.cookie

This works when I set a cookie but nothing comes up when I set it through sessions.

like image 699
Karim Lameer Avatar asked May 06 '16 09:05

Karim Lameer

2 Answers

I am finding this question 3 years and 8 months later because I have an interest in the event it is modified or spoofed, to ensure my backend is able to tell the difference.

Using chrome, use F12, select Application tab, underneath Storage go to Cookies. Under cookies you'll find the webpage, select it and the right side will populate and assuming you have done something to create your session cookie, it will be there. You will notice that the value is encrypted.

Picture showing the location of session cookie

like image 167
Jordon Gonzales Avatar answered Oct 26 '22 05:10

Jordon Gonzales

The Flask session cookie has the httponly flag set, making it invisible from JavaScript.

It is otherwise a normal, regular cookie so it is still stored in the browser cookie store; you should still be able to see it in your browser's developer tools.

You can set the SESSION_COOKIE_HTTPONLY option to False if you want to be able to access the cookie value from JavaScript code. From the Builtin Configuration Values section:

SESSION_COOKIE_HTTPONLY
controls if the cookie should be set with the httponly flag. Defaults to True.

The cookie contains all your session data, serialised using JSON (with tagging support for a wider range of Python types), together with a cryptographic signature that makes sure the data can't be tampered with securely.

If you disable the httponly protection, any JS code could still decode and read all your session data. Even if it can't change those values, that could still be very interesting to malicious code. Imagine a XSS bug in your site being made worse because the JS code could just read a CSRF token used to protect a web form straight from the session.

like image 35
Martijn Pieters Avatar answered Oct 26 '22 07:10

Martijn Pieters
Sign in to Comment

Related questions

%timeit equivalent in code
Cannot manually close matplotlib plot window
Resampling pandas dataframe is deleting column
PDF Miner PDFEncryptionError
Spark __getnewargs__ error
ValueError: not enough values to unpack (expected 11, got 1)
Fixtures in Golang testing
Inserting a table with openpyxl
Networkx Multigraph from_pandas_dataframe
Pandas DataFrame apply() ValueError: too many values to unpack (expected 2)
Django 1.8 Cache busting + Amazon S3
What's the time complexity of indexing a numpy array directly
Axes labels within numpy arrays
how to disable init_printing in sympy + IPython
Get DataFrame column as list of values
How to write a test for a function with optional arguments
Wrong number of dimensions on model.fit
Page number python-docx
Pass array as argument in python
Unable to install R package due to XML dependency mismatch

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!