Rails 4:如何解密 rails 4 会话 cookie(给定会话密钥和秘密) [英] Rails 4: How to decrypt rails 4 session cookie (Given the session key and secret)

问题描述

在 Rails 3 中，会话 cookie 可以使用 base64 解码轻松解码，但在 Rails 4 中，cookie 既被编码又被加密.

我想知道如何读取经过编码和加密的 rails 4 cookie(假设我们知道密钥库).

谢谢，

解决方案

Rails 4 使用 AES-256 使用基于您应用的 secret_token_base 的密钥加密 cookie.

以下是解密会话 cookie 的一般方案:

1. 计算你的密钥
2. Base 64 解码 cookie 值
3. 用'--'分割解码的cookie值，这将产生两部分，第一部分是加密数据，第二部分是加密方案使用的初始化向量.Base 64 独立解码每个部分.
4. 通过使用密钥和初始化向量应用 AES 解密来解密加密数据.

我找不到可以轻松解密消息的网站(欢迎提供建议)，以编程方式可以这样做:

secret = OpenSSL::PKCS5.pbkdf2_hmac_sha1(app_secret_token, '加密 cookie', 1000, 64)encrypted_message = Base64.decode64(cookie_str)cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')encrypted_data, iv = encrypted_message.split("--").map {|v|::Base64.strict_decode64(v)}密码解密cipher.key = 秘密密码.iv = iv解密数据 = cipher.update(encrypted_data)解密数据<

几个注意事项:

• 这段代码几乎与实际的ActionDispatch::Cookies 中间件使用的 ActiveSupport::MessageEncryptor 中的noreferrer">_decript 方法实现.>

• 这完全是 Rails 4 特有的，来自 ActionDispatch::Session::CookieJar:

  <块引用>

  如果您只设置了secret_token，您的 cookie 将被签名，但不会被加密.这意味着用户无法在不知道您应用的密钥的情况下更改他们的 +user_id+，但可以轻松读取他们的 +user_id+.这是 Rails 3 应用的默认设置.

  如果您设置了secret_key_base，您的 cookie 将被加密.这比签名 cookie 更进一步，因为加密 cookie 不能被用户更改或阅读.这是 Rails 4 中的默认设置.

In Rails 3 session cookie can easily decoded with base64 decoding but in Rails 4 cookies are encoded as well as encrypted.

I want to know how to read rails 4 cookie which is encoded as well as encrypted(assuming we know the secret key base).

Thanks,

解决方案

Rails 4 uses AES-256 to encrypt cookies with the key based on your app's secret_token_base.

Here's the general scheme of decrypting a session cookie:

1. calc your secret key
2. Base 64 decode the cookie value
3. split the decoded cookie value by '--', this will result in two parts, the first part is the encrypted data and the second is the initialization vector used by the encryption scheme. Base 64 decode each part independently.
4. decrypt the encrypted data by applying AES decryption with the secret key and the initialization vector.

I couldn't find a website to easily decrypt the messages (advice is welcome), programmatically it can be done like this:

secret = OpenSSL::PKCS5.pbkdf2_hmac_sha1(app_secret_token, 'encrypted cookie', 1000, 64)

encrypted_message = Base64.decode64(cookie_str)
cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
encrypted_data, iv = encrypted_message.split("--").map {|v| ::Base64.strict_decode64(v)}

cipher.decrypt
cipher.key = secret
cipher.iv  = iv

decrypted_data = cipher.update(encrypted_data)
decrypted_data << cipher.final

Marshal.load(decrypted_data)

Couple of notes:

• This code snippet is almost identical to the actual _decript method implementation in ActiveSupport::MessageEncryptor which is used by the ActionDispatch::Cookies middelware.

• This is all very much Rails 4 specific, from the ActionDispatch::Session::CookieJar:

  If you only have secret_token set, your cookies will be signed, but not encrypted. This means a user cannot alter their +user_id+ without knowing your app's secret key, but can easily read their +user_id+. This was the default for Rails 3 apps.

  If you have secret_key_base set, your cookies will be encrypted. This goes a step further than signed cookies in that encrypted cookies cannot be altered or read by users. This is the default starting in Rails 4.

这篇关于Rails 4:如何解密 rails 4 会话 cookie(给定会话密钥和秘密)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！