Decode Django session data without the infrastructure

I recently had to access Django session data from a cookie in a third party application (based on Tomcat) with no access to the Django infrastructure. This example shows how I did it.

The key is understanding that the session data is composed of two components: a unique token and the data separated by a colon (:).

The unique token is composed of various parts including the SECRET_KEY from It is built using the data and the SHA1 hash algorithm. The token can be used to guarantee that the data is associated with the correct Django session.

The data is simply a pickled dictionary of plaintext data so it can be decoded without regard to the token and, by implication, the SECRET_KEY.

With this in mind, it is easy to see that the session data can be decoded by a third party application by simply unpickling it.

The data is secure because it is not available in the session cookie. The session cookie only contains the encrypted session key which references the session data in the context of the Django application. To access the data the 3rd party must have access to that context. In my case it would be done through the database.

One thought on “Decode Django session data without the infrastructure”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.