You've misunderstood the format of the default Flask session implementation. The session
object produces cryptographically signed JSON that is then (optionally) compressed and then base64-encoded to store session values making sure that a client cannot tamper with the values stored in it. In your case no compression was applied (compression is only applied if this reduces the final output size).
This is change from the previous format using pickle
to limit the damage an attacker can do if the server-side secret was compromised (see a blog post of mine why pickle
can be dangerous).
In other words, all Flask did is swap out the serializer, from pickle
to an extended tagged JSON format, but the pre-existing cryptographic signature and compression has been left in place.
As such that format is not really suitable for decoding again on the client side (you'd have to decode the base64, possibly decompress the data, split out the signature, and you may have to interpret the extra type tagging). You could switch the session implementations for that but that is very much not recommended.
If you want to share data with the client-side, you could just embed data into page in a <script>
block with var session_data = {{data|tojson|safe}};
, or set a separate cookie with the data.