Tools

Flask Session Cookie Tool

Decode, verify, and forge Flask session cookies (itsdangerous / flask-unsign compatible).

Flask Session Cookie

About Flask session cookies

Data is signed, not encrypted — the payload is readable without the secret
Format: payload.timestamp.signature (itsdangerous)
Default salt: cookie-session
Signature algorithm: HMAC-SHA1 with derived key

Loading Flask Cookie Decoder...

Flask Session Cookie Decoder and Verifier Online

Decode, verify, and forge Flask session cookies (itsdangerous URLSafeTimedSerializer). No server or Python install required.

What is FLASK-COOKIE?

Flask session cookies store user session data signed with HMAC-SHA1 using your app's SECRET_KEY. The data itself is not encrypted - it's simply base64-encoded JSON - so anyone with the cookie can read it. Flask-Unsign is the reference tool for working with these cookies. This tool implements the same three core operations: - **Decode** - read the session payload from any Flask cookie without needing the secret key - **Verify** - confirm a cookie was signed with a given secret (useful for CTFs or audits) - **Sign** - craft a new cookie from arbitrary JSON data and a known secret

Example

Input:

eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYWRtaW4ifQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8

Output:

{ "logged_in": true, "username": "admin" }

FAQ

Is the session data encrypted?
No. Flask session cookies are signed, not encrypted. The payload is plain base64-encoded JSON that anyone can read. If you need confidentiality, use server-side sessions or encrypt the data before storing it.
What is the default salt?
Flask uses 'cookie-session' as the default salt when signing session cookies. If the app overrides itsdangerous' salt parameter you need to supply the correct value in the Salt field.
Why does Verify return false even with the correct secret?
The most common causes are a wrong salt (default is 'cookie-session'), a secret key stored as bytes in Python (try prefixing it with b), or a legacy cookie signed without a timestamp. Try different salts or check the app source.
What is a compressed cookie?
When the session payload exceeds a size threshold, Flask compresses it with zlib and prepends a '.' to the cookie. This tool detects and decompresses those automatically.
Can I use this for CTF challenges?
Yes - this is the browser-based equivalent of the flask-unsign CLI tool commonly used in web CTFs. Paste the cookie, try known secrets in the Verify tab, then craft a forged cookie in the Sign tab.