Apache cookie decrypt (flask session)

Question

can anybody help me pls, I am thinking about simple analytics, i.e. put all ness data into cookie and then logging it through the apache mechanism. Next, logs from apache I can

Answer 1

The session cookie is not encrypted. It is json encoded, compressed, base64 encoded, and cryptographically signed. It uses the itsdangerous package to accomplish this. The session cookie is not meant to be convenient to read outside Flask. You could of course reverse this process (separate the signature, validate it, decode the payload, and decompress it). However, it would make more sense to let Flask do this, and just do the logging from the app.

---

For reference, the format of the cookie is:

• starts with . if the data is compressed (uses zlib)
• data (base64 encoded, possibly compressed, json encoded)
• . separates data and signature
• signature (hmac by default)

Looking in to the source for itsdangerous and Flask will show the specifics of what you would need to reverse if you were to try to read this in Apache.