我正在参加 CTF 竞赛,并在尝试操作 Flask 会话 cookie 时遇到了问题。
具体来说,我能够使用Flask Session Cookie Decoder/Encoder成功解码它(无需密钥):
python flask_session_cookie_manager3.py decode -c ".eJwtjkGKAzEMBL-S9TkHy5Yte96wP1jCIEvyJmxIYDxzCvn7-pBTUw1N18ut_c7jasMtPy932me4cYjYGO7svp-_t8fpw_24f7nL-3Kem83G1S37dtikm7rFQUJBRSOL1GKWVCoRC3ED7VAz9FKsVi9aO2RgJmgSi88VuQCmXghjaRZjSCqBDTm3qE1LAh8bGnuG3jAHCV4iZlAoPkhiAGghT9v1GLZ9bCbK2Pq6P__sMQuev2ZcKQFkMinJWhRSqB4hYyWv2oWre_8D5vtQyA.ZTUbZQ.erv_yZmYg44tiaJ0u8fqKailHUc"
如下所示:
b'{"_flashes":[{" t":["success","Login successful!"]}],"_fresh":true,"_id":"154c4d4e7e37b36c58977ac7ab1df1961f88e990cd9f161aa71bc380694a8145f87438be3325dc2ae4a6b3dbd85103b4ea0a1fb462c20c3461d1802c5a111b26","_user_id":"1","csrf_token":"acd9eea9751167ec85eb3c7d1904164970ddfca9"}'
但当我尝试操纵它并再次签名时,我发现我必须使用原始密钥。
这是为什么?