Posted 22 days ago. Visible to the public.

Rails: Decrypt a session cookie

This method helps you to manually decrypt the session cookie in Rails 5.2. Chrome can retrieve the session cookie string from Dev Tools > Application > Cookies > _application_name_session.

By default Rails >= 5.2 app uses JSON as cookie serializer. Before Marshal was used to serialize cookies. You can find out your application's cookies serializer with Rails.application.config.action_dispatch.cookies_serializer.

Copy
require 'cgi' require 'json' require 'active_support' def verify_and_decrypt_json_session_cookie(cookie) serialized_content = verify_and_decrypt_session_cookie(cookie, serializer: JSON) JSON.parse(serialized_content) end def verify_and_decrypt_marshal_session_cookie(cookie) serialized_content = verify_and_decrypt_session_cookie(cookie, serializer: ActiveSupport::MessageEncryptor::NullSerializer) Marshal.load(serialized_content) end def verify_and_decrypt_session_cookie(cookie, serializer:) cookie = CGI::unescape(cookie) salt = Rails.configuration.action_dispatch.encrypted_cookie_salt signed_salt = Rails.configuration.action_dispatch.encrypted_signed_cookie_salt key_generator = ActiveSupport::KeyGenerator.new(Rails.application.secret_key_base, iterations: 1000) secret = key_generator.generate_key(salt)[0, 32] sign_secret = key_generator.generate_key(signed_salt) encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: serializer) encryptor.decrypt_and_verify(cookie) end

Example session cookie:

Copy
verify_and_decrypt_marshal_session_cookie('K2lUcDA1MjQ4b05RRU9zU2tNM05ldmIvdGpKVzNDdmRNNVkvbHFVSkNwT1lGODhkN3NZZHRYaDBwQXowR2lheUoxemt1Wm82Z0psYlFNVFM2dmxQaVNvRlhRZGNQQzNXUkswNnNTdVRPR1o5UURrY29CUjJvbEtXb2dwS2dTazZneG5XbjBzMVZISEVyc3ZkQzIxRW9FU3JERHZMWFg3Uk50Z2o0cVZ1eUF2VVR2RjdFbDUvaXlqUEorMEd6NGM0WjBhaTZOQ0NPaGE1NkZCTmVjMzdHajZueU56TVpQZk53bVJKZ21KWW9SdXFuc09WZVlMNS93aERSRlhLTWpEN3Y2M2xtSTlrUjNoS0lNQVMxNUhLNkpDekhhcUViZklLa0pSV3A2NzBtZmc9LS0yS1RmVTJyanl5dHpWQklkSlFQbVJRPT0%3D--50da898541a727755da8cffffbcfbb2c5dd3310b') => { "session_id"=>"8ef662867ab2457717ba74c143c08733", "timestamp"=>1572261371, "warden.user.user.key"=>[[3], "$2a$13$FlVrgrbRbFRaFun/4dhaK."], "_csrf_token"=>"e03pX09Pqfj3syQp0w9AAJ3fEh7I9Sm8VhndHfqQxgw=" }

This method is based on Decrypt a Rails 5 session cookie and extended with the cookies serializer section. You will get an exception like ActiveSupport::MessageEncryptor::InvalidMessage when you use the wrong cookies serializer.

makandra has been working exclusively with Ruby on Rails since 2007. Our laser focus on a single technology has made us a leader in this space.

Owner of this card:

Avatar
Emanuel De
Last edit:
15 days ago
by Jakob Scholz
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Emanuel De to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more