Given the session key and secret, how can we decrypt Rails cookies?

Question

I\'ve got a question about how Rails handles cookie encryption/decryption.

I\'ve got this in my config/environment.rb

  config.action_controller.sess         


        

Answer 1

I've written a Ruby gem to handle cookies managed by Rails apps. Reading its source you can understand how it works and possibly port it to Java so that your JSP app could use that:

https://github.com/rosenfeld/rails_compatible_cookies_utils

It's a single file with ~ 150 lines of code which also handles signed only cookie values and takes care of both signing/encrypting and verifying/decrypting, while you seem to only be concerned about decrypting. This is the method for decrypting:

https://github.com/rosenfeld/rails_compatible_cookies_utils/blob/master/lib/rails_compatible_cookies_utils.rb#L41-L52

It worths mentioning that besides the key and the secret you'll also need to know which serializer is used. It used to be Marshal but it seems the default for newly generated apps is now JSON. If Marshal was used then it may be tricky to convert that code to Java as you'd have to find a library which implements Ruby's Marshal#load.