Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

My flask app set secret_key, but it can still decode without key. #6

Closed
yxzlwz opened this issue Dec 5, 2021 · 2 comments
Closed

My flask app set secret_key, but it can still decode without key. #6

yxzlwz opened this issue Dec 5, 2021 · 2 comments
Labels
invalid question

Comments

@yxzlwz
Copy link

yxzlwz commented Dec 5, 2021

This is code from app.py:

app.config["SECRET_KEY"] = str(random.random())

And when i run this cmd:

python flask_session_cookie_manager3.py decode -c ".eJyrVipOTS5KLclLzE1VslKKKTUzN0qMKTU3TzUFkqZGFkARI2NzEwszAyUdpdLi1CK4StM0AyOgrEGacUypSapJEpBtmmyqVAsAQfAZaA.Yay2mA.Q51Q7QbVLWIssD3Pfv63Bu4czL0"

(The session content is from web cookie)

It still work! And i can see what I've just set on my server.

Who know why? Strongly thanks.
@noraj
Copy link
Owner

noraj commented Dec 5, 2021

Yeah it's normal. Flask cookies are protected only on integrity thanks to cryptographic signature, so users can't spoof the data embedded in the cookie. But those cookie are not protected on confidentiality so users a free to read them. No issue there.

@noraj noraj closed this as completed Dec 5, 2021
@yxzlwz
Copy link
Author

yxzlwz commented Dec 6, 2021

Seem that I asked a stupid question, maybe I mixed Flask with Django. Thanks a lot for reply!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@noraj @yxzlwz