Tools / Flask Session Decoder
Flask Session Cookie Decoder
Paste a Flask session cookie value and the tool splits it into payload / timestamp / signature, decompresses the zlib payload if Flask compressed it, parses the JSON, and - if you supply the secret key - verifies the HMAC.
Anatomy of a Flask session cookie
Flask uses itsdangerous to serialize session data into a single cookie value. The format is three base64url-encoded parts joined by .: payload.timestamp.signature. The payload is JSON; if it would be larger than the encoded original it gets prefixed with a literal . and zlib-compressed before encoding. The timestamp is the seconds since 2011-01-01 (the Flask epoch). The signature is HMAC-SHA1 over payload.timestamp using a key derived from the app’s SECRET_KEY and the salt cookie-session.
For CTF challenges the typical workflow is:
- Decode the cookie to read what role / user is currently set (often something like
{"is_admin": false}). - Find the
SECRET_KEY(leaked source, debug page, environment variable, weak guess). - Verify the signature here to confirm the secret is correct.
- Forge a new cookie with
flask-unsignon the command line:flask-unsign --sign --cookie "{'is_admin': True}" --secret '...'.
When the cookie includes auth-relevant fields (admin role, user id, CSRF token), look at related tools: the JWT Decoder for token-based auth, URL Encoder for cookies that wrap percent-encoded data, and the Checksum Calculator if the secret is leaked as a hash.
Challenges that use this tool
- Old SessionspicoCTF 2026 · Web Exploitation · Easy
- Cookie Monster Secret RecipepicoCTF 2025 · Web Exploitation · Easy
- Power CookiepicoCTF 2022 · Web Exploitation · Medium
- CookiespicoCTF 2021 · Web Exploitation · Easy
- More CookiespicoCTF 2021 · Web Exploitation · Medium
- Most CookiespicoCTF 2021 · Web Exploitation · Medium
- Who are you?picoCTF 2021 · Web Exploitation · Medium