给定会话密钥和秘密，我们如何解密Rails cookie？ [英] Given the session key and secret, how can we decrypt Rails cookies?

问题描述

我有一个关于Rails如何处理cookie
加密/解密的问题。

我已经在我的config / environment.rb

  config.action_controller.session = {
：session_key => [some key]，
：secret => [some secret] 
} 
  

在config / environment / production.rb等。：

  ActionController :: Base.session_options [：session_domain] = [some 
 domain] 
  

到目前为止，只要我的所有Rails应用程序都有相同的
session_key和secret，

但是，一个同事现在有一个JSP应用程序（在同一个域上），$

因此，给定一个秘密和一个加密的cookie值，我们如何解密

（文档似乎表明这是单向SHA1加密默认值
- http://caboo.se/doc/classes/CGI/Session/CookieStore.html -
，那么我的Rails应用程序如何读取单向加密的cookie
的内容？）

提前感谢

解决方案

如果任何提示/指针/洞察，你直接从存储在应用程序数据库中的会话数据中拉取session.data字段（如果您在environment.rb文件中使用active_record_store）

  config.action_controller.session_store =：active_record_store 
  

...这里是如何解码并返回哈希值：

  Marshal.load（ActiveSupport :: Base64.decode64（@ session.data））
  

...或在Rails> = 3.2（感谢Chuck Vose）

  Marshal.load（Base64.decode64（@ session.data））
  

b $ b

它根本不加密。

I've got a question about how Rails handles cookie encryption/decryption.

I've got this in my config/environment.rb

  config.action_controller.session = {
    :session_key => [some key],
    :secret => [some secret]
  }

And this in config/environment/production.rb et al.:

  ActionController::Base.session_options[:session_domain] = [some
domain]

So far, so good -- as long as all my Rails apps have the same session_key and secret, and are on the same domain, they can all use that same cookie.

However, a colleague now has a JSP application (on the same domain), with which he'd like to read the cookies I have set.

So, given a secret and an encrypted cookie value, how would we decrypt it to get the contents of that cookie?

(The docs seem to indicate this is one-way SHA1 encryption by default -- http://caboo.se/doc/classes/CGI/Session/CookieStore.html -- but then how would my Rails applications read the contents of a cookie that is one-way encrypted?)

Thanks in advance for any tips/pointers/insight,

Joe

解决方案

If you pull the session.data field straight from the session data stored in your app's database (if you are using active_record_store in your environment.rb file)

config.action_controller.session_store = :active_record_store

... here is how you decode it and return the hash:

Marshal.load(ActiveSupport::Base64.decode64(@session.data))

... or in Rails >= 3.2 (thanks Chuck Vose)

Marshal.load(Base64.decode64(@session.data))

It is not encrypted at all.

这篇关于给定会话密钥和秘密，我们如何解密Rails cookie？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！