In Django how to decrypt the session id in database and in cookie with my SECRET_KEY?
Question
I created one Django application with below settings - (for cookie base session)
SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer'
Then I got a session id
sessionid=.eJxrYJk6gwECaqdo9PDGJ5aWZMSXFqcWxWemTOlhMjSY0iOEJJiUmJydmgeU0UzJSsxLz9dLzs8rKcpM0gMp0YPKFuv55qek5jjB1PIjGZCRWJwxpUfDMNUk1STJ1MLc0tLczDLNyMg0ydDQzDTJzCjZ0jg50SLR3NDc3DzReEqpHgBcETf7:1eVt50:xtWtUp9mwcxusxtg6fZB_tHzlYw
With another setting (for database-backed sesisons)
SESSION_ENGINE = 'django.contrib.sessions.backends.db'
SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'
I got below encrypted string in database:
gzc9c9nwwraqhbdsk9xg935ypkqp7ecs|MmExZWI0NjZjYzIwNDYyZDhjNWVmODJlNmMwNjI0ZmJmMjQ4MTljNDp7Il9hdXRoX3VzZXJfaWQiOiIxMCIsIl9hdXRoX3VzZXJfYmFja2VuZCI6ImRqYW5nby5jb250cmliLmF1dGguYmFja2VuZHMuTW9kZWxCYWNrZW5kIiwiX2F1dGhfdXNlcl9oYXNoIjoiMWU0ZTRiNTg3OTk3NjlmMjI1YjExNjViNjJjOTNjYThhNzE3NzdhMyIsImxhc3RfbG9naW4iOjIyMjJ9
I want to know what is inside both the encrypted strings.
- How can I decrypt both?
- Which encryption algorithm django uses for encryption?
- Where can I set the encryption algorithms?
It will be great, if anyone can give me a sample code.
2 answers
solution1
1 2018-01-01 06:34:11
First off, I would not recommend you use PickleSerializer unless you have a good reason to change the default session serializer and understand the security implications .
The cookies you have aren't encrypted, they're just encoded as url-safe base64 (optionally compressed with zlib) and then signed:
In [8]: import base64
In [9]: base64.urlsafe_b64decode('MmExZWI0NjZjYzIwNDYyZDhjNWVmODJlNmMwNjI0ZmJmMjQ4MTljNDp7Il9hdXRoX3VzZXJfaWQiOiIxMCIsIl9hdXRoX3VzZXJfYmFja2VuZCI6ImRqYW5nby5jb250cmliLmF1dGguYmFja2V
... uZHMuTW9kZWxCYWNrZW5kIiwiX2F1dGhfdXNlcl9oYXNoIjoiMWU0ZTRiNTg3OTk3NjlmMjI1YjExNjViNjJjOTNjYThhNzE3NzdhMyIsImxhc3RfbG9naW4iOjIyMjJ9')
Out[9]: '2a1eb466cc20462d8c5ef82e6c0624fbf24819c4:{"_auth_user_id":"10","_auth_user_backend":"django.contrib.auth.backends.ModelBackend","_auth_user_hash":"1e4e4b58799769f225b1165b62c93ca8a71777a3","last_login":2222}'
In [10]: base64.urlsafe_b64decode('.eJxrYJk6gwECaqdo9PDGJ5aWZMSXFqcWxWemTOlhMjSY0iOEJJiUmJydmgeU0UzJSsxLz9dLzs8rKcpM0gMp0YPKFuv55qek5jjB1PIjGZCRWJwxpUfDMNUk1STJ1MLc0tLczDLNyMg0ydDQz
... DTJzCjZ0jg50SLR3NDc3DzReEqpHgBcETf7').decode('zlib')
Out[10]: '\x80\x04\x95\x98\x00\x00\x00\x00\x00\x00\x00}\x94(\x8c\r_auth_user_id\x94\x8c\x0210\x94\x8c\x12_auth_user_backend\x94\x8c)django.contrib.auth.backends.ModelBackend\x94\x8c\x0f_auth_user_hash\x94\x8c(1e4e4b58799769f225b1165b62c93ca8a71777a3\x94u.'
This is all handled by your SESSION_ENGINE :
from importlib import import_module
from django.conf import settings
SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
session_data = SessionStore().decode('.eJxrYJk6gwECaqdo9PDGJ5aWZMSXFq......')
solution2
1 ACCPTED 2018-01-01 07:35:33
Documentation about signing values using the secret key can be found at: https://docs.djangoproject.com/en/2.0/topics/signing/
Looking at the session id string that looks like a complex value: https://docs.djangoproject.com/en/2.0/topics/signing/#protecting-complex-data-structures
>>> from django.core import signing
>>> value = signing.dumps({"foo": "bar"})
>>> value
'eyJmb28iOiJiYXIifQ:1NMg1b:zGcDE4-TCkaeGzLeW9UQwZesciI'
>>> signing.loads(value)
{'foo': 'bar'}
So try to do signing.loads(session_id)
But that can fail also due to the wrong salt. Just read up about Django sessions to find out more about storage. Especially https://docs.djangoproject.com/en/2.0/topics/http/sessions/ and how to implement your own serializer/storage
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.