Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Flask sessions, where are the cookies stored?

I'm learning flask and want to understand how sessions work. Apparently the server stores a signed cookie on the client browser. I have done this process using

sessions['mycookie'] = 'mycookievalue'

But I'm unable to find the cookie on the browser. I normally list cookies on the browser using chrome developer tools and running the command:

document.cookie

This works when I set a cookie but nothing comes up when I set it through sessions.

like image 699
Karim Lameer Avatar asked May 06 '16 09:05

Karim Lameer


2 Answers

I am finding this question 3 years and 8 months later because I have an interest in the event it is modified or spoofed, to ensure my backend is able to tell the difference.

Using chrome, use F12, select Application tab, underneath Storage go to Cookies. Under cookies you'll find the webpage, select it and the right side will populate and assuming you have done something to create your session cookie, it will be there. You will notice that the value is encrypted.

Picture showing the location of session cookie

like image 167
Jordon Gonzales Avatar answered Oct 26 '22 05:10

Jordon Gonzales


The Flask session cookie has the httponly flag set, making it invisible from JavaScript.

It is otherwise a normal, regular cookie so it is still stored in the browser cookie store; you should still be able to see it in your browser's developer tools.

You can set the SESSION_COOKIE_HTTPONLY option to False if you want to be able to access the cookie value from JavaScript code. From the Builtin Configuration Values section:

SESSION_COOKIE_HTTPONLY
controls if the cookie should be set with the httponly flag. Defaults to True.

The cookie contains all your session data, serialised using JSON (with tagging support for a wider range of Python types), together with a cryptographic signature that makes sure the data can't be tampered with securely.

If you disable the httponly protection, any JS code could still decode and read all your session data. Even if it can't change those values, that could still be very interesting to malicious code. Imagine a XSS bug in your site being made worse because the JS code could just read a CSRF token used to protect a web form straight from the session.

like image 35
Martijn Pieters Avatar answered Oct 26 '22 07:10

Martijn Pieters