Joe Grossberg
2009-Dec-21 17:25 UTC
Given the session key and secret, how can we decrypt cookie-based sessions?
Hello all. I''ve got a question about how Rails handles cookie
encryption/decryption.
I''ve got this in my config/environment.rb
config.action_controller.session = {
:session_key => [some key],
:secret => [some secret]
}
And this in config/environment/production.rb et al.:
ActionController::Base.session_options[:session_domain] = [some
domain]
So far, so good -- as long as all my Rails apps have the same
session_key and secret, and are on the same domain, they can all use
that same cookie.
However, a colleague now has a JSP application (on the same domain),
with which he''d like to read the cookies I have set.
So, given a secret and an encrypted cookie value, how would we decrypt
it to get the contents of that cookie?
(The docs seem to indicate this is one-way SHA1 encryption by default
-- http://caboo.se/doc/classes/CGI/Session/CookieStore.html -- but
then how would my Rails applications read the contents of a cookie
that is one-way encrypted?)
Thanks in advance for any tips/pointers/insight,
Joe
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2009-Dec-21 19:34 UTC
Re: Given the session key and secret, how can we decrypt cookie-based sessions?
> > So, given a secret and an encrypted cookie value, how would we decrypt > it to get the contents of that cookie? > > (The docs seem to indicate this is one-way SHA1 encryption by default > --http://caboo.se/doc/classes/CGI/Session/CookieStore.html-- but > then how would my Rails applications read the contents of a cookie > that is one-way encrypted?)session cookies aren''t encrypted (there is a cryptographic signature to prevent tampering but the data isn''t encrypted). The data is a base 64 encoded marshaled ruby object. in ruby it is dead easy : strip off the signature (including and after the --) and do Marshal.load(ActiveSupport::Base64.decode64(blob_of_data)). You would probably need to reimplement part of ruby''s marshalling algorithm to decode the data (the marshal format is documented) Fred.> > Thanks in advance for any tips/pointers/insight, > Joe-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.