nonopolarity
Reputation: 151126
Why can't a Rails session cookie be Base64 decoded completely?
One example of a Rails 2.3.8 session cookie is
BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2--67046ba78aa6d656ec7c64e73aac156f5e503627
so I assume the second part (after the --)is a checksum, and if a Base64 decode is done:
$ script/console
Loading development environment (Rails 2.3.8)
> Base64.decode64("BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2")
=> "\004\b{\a:\vfoobari\a:\017session_id\"%b394a4ad4852964c6455378e34b93f16"
> puts Base64.decode64("BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2")
{:
foobari:session_id"%b394a4ad4852964c6455378e34b93f16
supposedly foobar should have a value of 2 and it won't show... and what is the session_id for if it is based on a cookie -- why does it need an id?
Upvotes: 5
Views: 3879
Answers (1)
pseidemann
Reputation: 2139
The code after the -- is a SHA, hashed with the session secrect defined in the application.
And here about the ID.
Edit:
Marshal.load(Base64.decode64("BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2--67046ba78aa6d656ec7c64e73aac156f5e503627".split('--').first))
=> {:foobar=>2, :session_id=>"b394a4ad4852964c6455378e34b93f16"}
Upvotes: 8
Related Questions
- Cannot convert data from cookies
- How can I use Base64 encoding in Ruby on Rails?
- Showing base64 data with Ruby on Rails
- why ruby base64 different from others?
- Rails 4 not encrypting cookie contents
- Why Rails 4.1 cookie session serializer converts nested session keys from symbols to strings?
- Decode a signed cookie in rails?
- base 64 URL decode with Ruby/Rails?
- user_id in session not set when I decode the base64 cookie?
- Base64.decode64 in ruby returning strange results