fusionauth.sso cookie's value is encoded?

  • Hello,

    I was looking at the fusionauth.sso cookie and its value seems to be encoded, as I used the "jwt/refresh?userId" API endpoint to retrieve all currently active refresh tokens, and none of the tokens' ids matched with the value of the fusionauth.sso cookie. However, when I look at the value of the fusionauth.session cookie, it corresponds perfectly with the id of the refresh token for the FusionAuth session.

    I am wondering why one of the session cookies corresponds to the id of a refresh token (fusionauth.session), whereas the other (fusionauth.sso) does not, perhaps one is encoded and the other is not? Thanks!

  • @yb98 I just figured this out, the cookie value is encoded in base 64, you can simply decode it to retrieve the actual token id.

  • @yb98

    Glad that you were able to get this figured out!


  • Hi!

    I was wondering exactly the same, but unlike @yb98 decoding the content of fusionauth.sso (Base64) does not match my refresh token (like, not at all).

    Is there a trick (special encoding or something)?

    Thanks 🙂

  • @pleymor yeah, it is slightly tricky, you can try decoding it here: https://www.base64decode.org/, you will get some gibberish, but the refresh token will be a substring of the decoded token. The length of the decoded token may also vary depending on your browser.

Log in to reply