Spindrift Workspace
A small project-management SaaS for freelance creatives — work boards, deadlines, client-share. The login form stamps a tidy little session token and never opens the envelope twice.
The Scenario
Two founders, eighteen months in, no marketing budget, no AI features. They built their own session layer one weekend "because we don't need a whole library for this." A junior contractor noted in the team Linear that the cookie was "stateless and self-describing" and shipped it.
Challenge Intel
Synopsis
After login, the server sets sw_session = base64(JSON({role:"member"})) with no signature. /admin/billing trusts the cookie's role field.
What It Is
The login route in app.py base64-encodes a small JSON payload and drops it into the sw_session cookie unsigned. Every route base64- decodes and json.loads the cookie back without verification. /admin/billing reads data["role"] and renders the flag when it equals "admin". Player decodes, flips member→admin, re-encodes, replays the request.
Who It's For
Brand-new players. The introductory challenge in the cookies module. No tooling beyond browser dev-tools, base64, and a JSON editor.
Skills You'll Practice
- Reading and decoding a base64-encoded cookie value
- Recognising a session token that carries server-trusted state
- Re-encoding tampered JSON and replaying the request
What You'll Gain
- Client-side session state must always carry a server-verified signature
- If you can read the contents of a cookie in plain JSON, you can rewrite them
Ready to hack Spindrift Workspace?
This challenge is free. Sign up and start hacking.