I've got a question about how Rails handles cookie encryption/decryption.
I've got this in my config/environment.rb
config.action_controller.session = {
:session_key => [some key],
:secret => [some secret]
}
And this in config/environment/production.rb et al.:
ActionController::Base.session_options[:session_domain] = [some
domain]
So far, so good -- as long as all my Rails apps have the same session_key and secret, and are on the same domain, they can all use that same cookie.
However, a colleague now has a JSP application (on the same domain), with which he'd like to read the cookies I have set.
So, given a secret and an encrypted cookie value, how would we decrypt it to get the contents of that cookie?
(The docs seem to indicate this is one-way SHA1 encryption by default -- http://caboo.se/doc/classes/CGI/Session/CookieStore.html -- but then how would my Rails applications read the contents of a cookie that is one-way encrypted?)
Thanks in advance for any tips/pointers/insight,
Joe
Here's how to decrypt the session cookie in Rails 4
http://big-elephants.com/2014-01/handling-rails-4-sessions-with-go/
By default, Rails (before version 4) does not encrypt session cookies, it only signs them. To encrypt them, you need to do something like this:
There are multiple plugins that provide that kind of encryption functionality.
So, if you're not specifically using an encrypted store, all the Java code needs to do is verify the cookie signature and decode the cookie. As Alex says in his answer, you would need to duplicate the functionality of
ActiveSupport::MessageVerifier#verify
, and share the key with the Java application. That both verifies and decodes the cookie.If you don't want to verify the signature (which I do NOT recommend), you can use Midwire's method of decoding from Base64 to view the session hash. In Ruby, this is:
I know this is old, but hope this helps somebody!
(Update: The question relates to Rails 3. Starting with Rails 4, session cookies are encrypted by default.)
I've written a Ruby gem to handle cookies managed by Rails apps. Reading its source you can understand how it works and possibly port it to Java so that your JSP app could use that:
https://github.com/rosenfeld/rails_compatible_cookies_utils
It's a single file with ~ 150 lines of code which also handles signed only cookie values and takes care of both signing/encrypting and verifying/decrypting, while you seem to only be concerned about decrypting. This is the method for decrypting:
https://github.com/rosenfeld/rails_compatible_cookies_utils/blob/master/lib/rails_compatible_cookies_utils.rb#L41-L52
It worths mentioning that besides the key and the secret you'll also need to know which serializer is used. It used to be Marshal but it seems the default for newly generated apps is now JSON. If Marshal was used then it may be tricky to convert that code to Java as you'd have to find a library which implements Ruby's Marshal#load.
Rails uses HMAC-SHA1 for encrypting cookie data, which is different from a one-way SHA1 encryption, as you suspected (see the Wikipedia article on HMAC for an explanation). The encryption is done by the
ActiveSupport::MessageVerifier
class (source code is fairly readable). Here's an example based on a test Rails app:This should return the session hash you expect. To implement this in Java your colleague is going to have to duplicate the
ActiveSupport::MessageVerifier#verify
method. Source code is in your gems directory (/usr/lib/ruby/gems/1.8/gems
on my system) atactivesupport-2.3.5/lib/active_support/message_verifier.rb
.If you pull the session.data field straight from the session data stored in your app's database (if you are using active_record_store in your environment.rb file)
... here is how you decode it and return the hash:
... or in Rails >= 3.2 (thanks Chuck Vose)
It is not encrypted at all.