Create a gist now

Instantly share code, notes, and snippets.

decoder.rb
require'uri'
require'base64'
p Marshal.load(Base64.decode64(URI.decode(gets.split('--').first)))
@ytrezq
ytrezq commented Sep 15, 2015

@homakov : Very nice ! But perhaps should need an update in order to handle the the new format (they still store them on clients unencrypted, I checked it).
Also please add a file to this gist in order to re‑encode modified session cookies back.

It seems gist store the user name in some way because I found this (I used opera dragonfly for editing local storage and cookies) :

  • log in to github.com but not on gist.github.com.
  • editdotcom_userin order to restrict it from being send to github.com sub‑domains.
  • create a newdotcom_userlocal to gist.github.com and set it to your github login name.

Works normally…

  • log out of github and gist.github.com. Clear all github cookies of the web‑browsers.
  • log in to github.com but not on gist.github.com.
  • addlogged‑in trueto https://gist.github.com in the web‑browser local storage.
  • editdotcom_userin order to restrict it from being send to github.com sub‑domains.
  • create a newdotcom_userlocal to gist.github.com and set it to an another existing gist login user name.
    Save your web browser session (because what will happen will probably crash it). Go to gist.github.com and get fun :

This is settingdotcom_userwhich trigger gist asking oauth to github.com. If this cookie is not sent or it’s value is null, the user use gist.github.com as a guest. So gist.github.com sends a 302 response redirecting tohttps://gist.github.com/auth/github?return_to=https%3A%2F%2Fgist.github.com%2F
which redirect redirect tohttps://github.com/login/oauth/authorize?response_type=code&client_id=7e0a3cd836d3e544dbd&…
Which set _gh_sess and redirect to the gist.github.com callback.
Which set gist_user_session and redirect to gist.github.com main domain
But the dotcom_user don’t match something. I’m very curious to know exactly what sincecodechange every times (but guess this is linked to the standard Oauth process). As result gist.github.com re‑trigger the oauth exchange, leading to this result :

A circled redirect !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment