Skip to content

Instantly share code, notes, and snippets.

@berniechiu

berniechiu/verify_and_decrypt_session_cookie60beta1.rb

Forked from wildjcrt/verify_and_decrypt_session_cookie60beta1.rb
Created May 18, 2023 07:41
Show Gist options
  • Save berniechiu/41323e77433b9b6930d18818203fc1b8 to your computer and use it in GitHub Desktop.
Save berniechiu/41323e77433b9b6930d18818203fc1b8 to your computer and use it in GitHub Desktop.
Download ZIP
Decrypt Rails 6.0 beta session cookies
Raw
verify_and_decrypt_session_cookie60beta1.rb
require 'cgi'
require 'active_support'
def verify_and_decrypt_session_cookie(cookie, secret_key_base = Rails.application.secret_key_base)
config = Rails.application.config
cookie = CGI::unescape(cookie)
salt = config.action_dispatch.authenticated_encrypted_cookie_salt
encrypted_cookie_cipher = config.action_dispatch.encrypted_cookie_cipher || 'aes-256-gcm'
# serializer = ActiveSupport::MessageEncryptor::NullSerializer # use this line if you don't know your serializer
serializer = ActionDispatch::Cookies::JsonSerializer
key_generator = ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)
key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher)
secret = key_generator.generate_key(salt, key_len)
encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: serializer)
session_key = config.session_options[:key].freeze
encryptor.decrypt_and_verify(cookie, purpose: "cookie.#{session_key}")
end
@berniechiu
Copy link
Author

Rails 7

def decrypt_cookie(cookie)
  cookie = CGI.unescape(cookie)
  data, iv, auth_tag = cookie.split("--").map { |v| Base64.strict_decode64(v) }
  raise InvalidMessage if (auth_tag.nil? || auth_tag.bytes.length != 16)

  cipher = OpenSSL::Cipher.new("aes-256-gcm")
  secret = OpenSSL::PKCS5.pbkdf2_hmac(
    Rails.application.secret_key_base,
    Rails.configuration.action_dispatch.authenticated_encrypted_cookie_salt,
    1000,
    cipher.key_len,
    Rails.configuration.active_support.hash_digest_class.new
  )

  # Setup cipher for decryption and add inputs
  cipher.decrypt
  cipher.key = secret
  cipher.iv  = iv
  cipher.auth_tag = auth_tag
  cipher.auth_data = ""

  # Perform decryption
  cookie_payload = cipher.update(data)
  cookie_payload << cipher.final
  cookie_payload = JSON.parse(cookie_payload)

  message = ActiveSupport::Messages::Metadata.verify(cookie_payload, "decrypt")
  JSON.parse(Base64.decode64(cookie_payload["_rails"]["message"]))
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment