hi,
i want to decode a session string (directory session_tmp/)... who knows a good software or algorithm ?

in the first place, there's hardly ever a directory called session_tmp/ unless a person creates it and is dumb enough to make it available to you.
i'm not sure if you're referring to a certain challenge on the site (can't remember all the exploits since i've done them quite some time ago, and granted, not all the exploits are realistic. but then again, no one tells you that a certain picture contains a hidden message and asks you to find it in real life either.) but before you talk about "decoding a session string", which in itself doesn't make sense, you should try to understand first, what is a session.

i'll talk a little on sessions (very basic and limited information because i'm lazy and hungry and a hungry man does not think) but i'm not going to answer your question directly. i personally think that it's best that you do your research before asking this way. you'll learn a lot faster (at least you have a specific topic, a specific problem, a specific goal, you won't get "lost" like you do at challenges).

a session is basically a set of information stored on the host of the website, created when a person visits the site and destroyed when the person leaves the site. as with php (i'm not touching on other languages), the session id is first assigned to the browser (cookies). if that fails, the session id will be passed through the url (that's why sometimes you see ?PHPSESSID=xxxxxxxxxxxxxxx appended at the back of your URL sometimes.) on a linux server (i'm not touching on windows, since most servers these days run php on linux), sessions are stored in /tmp, which is obviously inaccessible to you via normal methods (unless you host a shell script / have access to a shell). some people suggest changing the directory to some place other than /tmp, but that isn't necessarily more secure since it can still be located with a few commands. quoting a few books on php security, it would be wise to store session in a database and coordinate with php to do session handling from there.

that's it. one short paragraph. irrelevant to your question but some knowledge all the same for those who didn't know.

well on the serverside the sessions are stored in a directory which is moveable

PHP is designed to be as one shot as possible, so te data that has to be saved between requestes is minimal and transparanlty saved. typically in /tmp (on *nux systems). session.save_path...

Thing with these files is that they are unencrypted. when one has some vulnerable webapplication, listing the information in those files typically reveals the logindata of logged in users.

Great! Thx a lot !!!