Skip to content

Instantly share code, notes, and snippets.

@glarrain

glarrain/gist:3982485

Created October 30, 2012 19:37
Show Gist options
  • Save glarrain/3982485 to your computer and use it in GitHub Desktop.
Save glarrain/3982485 to your computer and use it in GitHub Desktop.
Download ZIP
Decode session data, no matter what hashes say. It helps in some cases where the Session.get_decoded method returns an empty dictionary because it is "suspicious" of user-data tampering. Based on source code from the Django project.
Raw
gistfile1.py
import base64
import pickle
from django.contrib.sessions.models import Session
from django.utils.encoding import force_unicode
def decode_session_data(session_key):
"""Decode the data in a session object stored under ``session_key``.
:param session_key: e.g. ``'1180b5ed42c2a3a5f217e35b755865da'``
:return: decoded session data
:rtype: :class:`dict`
"""
session_obj = Session.objects.get(pk=session_key)
session_data = force_unicode(session_obj.session_data)
encoded_data = base64.decodestring(session_data)
hash, pickled = encoded_data.split(':', 1)
return pickle.loads(pickled)
@masterPiece93
Copy link

masterPiece93 commented Sep 1, 2025
edited
Loading

@glarrain Please specify Django & python version as well ( on whcih this snippet runs )

on python3.12 and django 5 + following are the issues with this script :

  1. not importable : from django.utils.encoding import force_unicode
    • so use from django.utils.encoding import force_str or from django.utils.encoding import force_text whichever works with your version , as In Django 3.0+, force_unicode was renamed to force_text, and then in later versions, it was further refined to force_str.
  2. base64.decodestring won't work
    • Replace base64.decodestring() with base64.decodebytes()
      • base64.decodestring() was deprecated in Python 3.1
      • The decodebytes() function provides the same functionality and is the current standard for Base64 decoding in Python.

Any ways , if your use case is that of mine , i.e viewing the session data in decoded form , you can simply write a custom SessionAdmin and register it and view it in django admin panel . Here's the code you can include in you admin.py file :

# admin.py file
from django.contrib import admin
from django.contrib.sessions.models import Session

# Register your models here.

class SessionAdmin(admin.ModelAdmin):
        list_display = ['session_key', '_session_data', 'expire_date']
        readonly_fields = ['_session_data']
        exclude = ['session_data'] # This line ensures that encoded session in not shown . Comment this if you want to see the encoded session data as well .

        def _session_data(self, obj):
            import pprint
            return pprint.pformat(obj.get_decoded()).replace('\n', '<br>\n')
        _session_data.allow_tags = True

admin.site.register(Session, SessionAdmin)

NOTE : i am using python3.12 and Django==5.2.5 .

@glarrain
Copy link
Author

glarrain commented Sep 3, 2025

@masterPiece93

Created 13 years ago

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment