postmodernFeb 10, 2023

Why is it so hard to get an example of what a Set-Cookie session cookie header looks like for Django? No, I don't want to know how to use cookies in a Django app, I want to see the raw HTTP output. I swear Google is getting worse.

Edit: appears that I'm specifically looking for an example output of django.contrib.sessions.serializers.PickleSerializer or django.contrib.sessions.backends.signed_cookies, not the standard sessionid=....
#django #http #sessioncookies

Show threadwilson 🍜Feb 10, 2023
@postmodern I have one handy if this is helpful
Show threadpostmodernFeb 10, 2023
@wilson is the session cookie only returned when you login? Or is the csrftoken used as the session ID?
Show threadwilson 🍜Feb 10, 2023
@postmodern yeah session cookie is only upon login, separate from csrftoken
Show threadpostmodernFeb 10, 2023
@wilson I'm curious what cookie param name is used for the Django session cookie base64 blob, and if it can be reliably used to identify Django session cookies?
Show threadwilson 🍜Feb 10, 2023
@postmodern oh sorry i missed the "session cookie header" part of the initial toot. cookie param is "session" or "session_id" β€” i had just gone afk but i can get back to you with the details later if you haven't found it by then.
Show threadpostmodernFeb 10, 2023
@wilson appears what I'm really looking for is an example of using django.contrib.sessions.serializers.PickleSerializer which pickles and possibly signs the session blob.
Show threadwilson 🍜Feb 10, 2023

@postmodern so... i just checked on my local and found that session_id corresponds directly to the id in django_session table (this is a fairly new app and the default uses db session β€” https://docs.djangoproject.com/en/4.1/topics/http/sessions/#using-database-backed-sessions) not even base64'd, just exact match on the id

the session data seems to be encrypted? i see that mine starts with a period, then later on has two colons (:) as if they're IV β€” perhaps the output of the pickleserializer?

Django

The web framework for perfectionists with deadlines.

Django Project
Show threadpostmodernFeb 10, 2023
@wilson does Django support HMAC signed serialized cookies that are transmitted via Set-Cookie or is session data always stored on the server?
Show threadwilson 🍜Feb 10, 2023
@postmodern looks like it does! https://docs.djangoproject.com/en/4.1/topics/http/sessions/#using-cookie-based-sessions
Django

The web framework for perfectionists with deadlines.

Django Project
Show threadpostmodernFeb 10, 2023
@wilson awesome! now I just need to find a real-world example to ensure my parsing code matches, and for tests. Writing a little library to deserialize various session cookie formats.
Show threadwilson 🍜Feb 10, 2023
@postmodern idk how familiar you are with django, but it’s minimal setup to get a django β€œapp” running (the builtin admin panel is an app) and changing the session storage strategy in settings.py might get you something to fiddle with locally!
Show threadpostmodern

@wilson I had to figure out Django's weird "project" vs. "app" design, and wire up a "view" to set a "session variable" which apparently you do by modifying request.session, and set SESSION_ENGINE to ' django.contrib.sessions.backends.signed_cookies', but I finally got it:

Set-Cookie: sessionid=eyJmb28iOiJiYXIifQ:1pQcTx:UufiSnuPIjNs7zOAJS0UpqnyvRt7KET7BVes0I8LYbA; expires=Fri, 24 Feb 2023 23:07:05 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax

The first part of the session cookie is the Base64 JSON serialized session variables. Second part appears to be the request ID or some kind of counter, and the third parts must be related to the HMAC:

If I set SESSION_SERIALIZER to 'django.contrib.sessions.serializers.PickleSerializer' (which is apparently getting removed in 5.0, but is probably still used), I get the pickled session variables:

Set-Cookie: sessionid=gAWVEAAAAAAAAAB9lIwDZm9vlIwDYmFylHMu:1pQcay:RjaK8DKN4xXQ_APIXXWEyFS08Q-PGo6UlRBFpedFk9M; expires=Fri, 24 Feb 2023 23:14:20 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax

#django #sessioncookies

Feb 10, 2023 at 11:21pmWeb
Show threadwilson 🍜Feb 10, 2023

@postmodern yeah the onboarding experience of Django isn't great, i also still don't think those decisions made it easy for people to maintain Django projects either.

looks like you've got the parameters you were looking for though! the explanation is sound.

Show threadpostmodernFeb 11, 2023

@wilson I'm still not 100% certain what the second field is. It appears to be a base64 encoded 32bit network int, but it's counting up the longer the app runs:

Base64.decode64('1pQdVr').unpack1('N')
# => 3600031062
Base64.decode64('1pQdW3').unpack1('N')
# => 3600031067
Show threadwilson 🍜Feb 11, 2023

@postmodern seems like it *is* timestamp. i haven't confirmed the stack traces but these are likely the relevant lines:

https://github.com/django/django/blob/b6ed389eec3e72d50301f456d711496331abd7b3/django/contrib/sessions/backends/base.py#L92-L99

https://github.com/django/django/blob/b6ed389eec3e72d50301f456d711496331abd7b3/django/core/signing.py#L133-L154

https://github.com/django/django/blob/b6ed389eec3e72d50301f456d711496331abd7b3/django/core/signing.py#L283-L285

django/base.py at b6ed389eec3e72d50301f456d711496331abd7b3 Β· django/django

The Web framework for perfectionists with deadlines. - django/base.py at b6ed389eec3e72d50301f456d711496331abd7b3 Β· django/django

GitHub
Show threadpostmodernFeb 11, 2023
@wilson ah! It's a timestamp used as the salt.
Show threadwilson 🍜Feb 11, 2023

@postmodern that's what i'm reading, but at the same time there is a parameter `salt` of which the value is the package import path... so doubly salted? extra salty?

could just be inaccurate naming over refactors though, so i didn't want to read too much into it.