Skip to content
All gists
Back to GitHub
Sign in
Sign up
Sign in
Sign up
{{ message }}
Instantly share code, notes, and snippets.
madwork
/
decode_session_cookie.rb
Forked from
profh/decode_session_cookie.rb
Last active
Oct 22, 2020
Star
13
Fork
2
Star
Code
Revisions
5
Stars
13
Forks
2
Embed
What would you like to do?
Embed
Embed this gist in your website.
Share
Copy sharable link for this gist.
Clone via HTTPS
Clone with Git or checkout with SVN using the repository’s web address.
Learn more about clone URLs
Download ZIP
Rails 4.1+ Decode Session
Raw
decode_session_cookie.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show hidden characters
# decode_session_cookie.rb
# ------------------------
# The purpose of this script is to show that if I have the secret_key_base
# and a cookie to an active Rails session, I can decrypt it and gain access
# to key information about the user's session.
require 'rubygems'
require 'cgi'
require 'active_support'
require 'json'
def decrypt_session_cookie(cookie, key)
cookie = CGI::unescape(cookie)
# Default values for Rails 4 apps
key_iter_num = 1000
key_size = 64
salt = "encrypted cookie"
signed_salt = "signed encrypted cookie"
key_generator = ActiveSupport::KeyGenerator.new(key, iterations: key_iter_num)
secret = key_generator.generate_key(salt)
sign_secret = key_generator.generate_key(signed_salt)
encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: JSON)
puts encryptor.decrypt_and_verify(cookie)
end
# Rails 4.2
cookie = 'ZGhTbEhmUzZBYWhDSUwxY1FhSE1sNU50UnpZa0lCYnlUMjZXNUM0VWJNQ1VCS3hqQVRFNWh5eEllakE5STFtcmtCQm5sbXpJeGZjSFJKWGcvSStwL0NMMDlzRXpTOVZCd1h3L3poY0pnait0M3VEc3lnL1orcUVVdDFlUFRLWEZ2eXU1RmQ0c3ZKL2czWFlBb0Fwa3hQa3BFOGpQWmVlM0FxWjVyKzNja0NmQzZKRVIxUmpDalZiUjgvYUFDbzdDLS1WQlhpQzRnaW5XN2lqNGJ3eldVRGpBPT0%3D--afd0785340955dfaa18850fd1a1d966f68634b23'
key = 'fdb79a5ddfb30d9639ab15fb149712c6b783d2baa10ca07e0ababfab1453a7eb9d94b686799151c963af8a5c28571127c5a221615d14ba8fe863a720ed49a003'
decrypt_session_cookie(cookie, key)
# {"session_id"=>"717fdab32b88a55f09c853349f198ae5", "rails"=>"awesome!", "_csrf_token"=>"exj0VLeC4FzAfBTfDrCYMYuxD2cYzH9chf/U8PuK+E8="}
Sign up for free
to join this conversation on GitHub
. Already have an account?
Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window.
Reload
to refresh your session.
You signed out in another tab or window.
Reload
to refresh your session.