Given the session key and secret, how can we decrypt Rails cookies?

Question

I\'ve got a question about how Rails handles cookie encryption/decryption.

I\'ve got this in my config/environment.rb

  config.action_controller.sess         


        

Answer 1

Here's how to decrypt the session cookie in Rails 4

def decrypt_session_cookie(cookie)
  cookie = CGI.unescape(cookie)
  config = Rails.application.config

  encrypted_cookie_salt = config.action_dispatch.encrypted_cookie_salt               # "encrypted cookie" by default
  encrypted_signed_cookie_salt = config.action_dispatch.encrypted_signed_cookie_salt # "signed encrypted cookie" by default

  key_generator = ActiveSupport::KeyGenerator.new(config.secret_key_base, iterations: 1000)
  secret = key_generator.generate_key(encrypted_cookie_salt)
  sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)

  encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
  encryptor.decrypt_and_verify(cookie)
end

http://big-elephants.com/2014-01/handling-rails-4-sessions-with-go/