Menu
One example of a Rails 2.3.8 session cookie is
BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2--67046ba78aa6d656ec7c64e73aac156f5e503627
so I assume the second part (after the --)is a checksum, and if a Base64 decode is done:
$ script/console
Loading development environment (Rails 2.3.8)
> Base64.decode64("BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2")
=> "\004\b{\a:\vfoobari\a:\017session_id\"%b394a4ad4852964c6455378e34b93f16"
> puts Base64.decode64("BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2")
{:
foobari:session_id"%b394a4ad4852964c6455378e34b93f16
supposedly foobar should have a value of 2 and it won't show... and what is the session_id for if it is based on a cookie -- why does it need an id?
912
This method helps you to manually decrypt the session cookie in Rails 5.2. Chrome can retrieve the session cookie string from Dev Tools > Application > Cookies > _application_name_session . By default Rails >= 5.2 app uses JSON as cookie serializer.
Rails uses encryption to securely prevent tampering with the session contents, however, users cannot revoke sessions because the contents are stored on the browser.
Cookies, Sessions and Flashes are three special objects that Rails gives you in which each behave a lot like hashes. They are used to persist data between requests, whether until just the next request, until the browser is closed, or until a specified expiration has been reached.
The code after the -- is a SHA, hashed with the session secrect defined in the application.
And here about the ID.
Edit:
Marshal.load(Base64.decode64("BAh7BzoLZm9vYmFyaQc6D3Nlc3Npb25faWQiJWIzOTRhNGFkNDg1Mjk2NGM2NDU1Mzc4ZTM0YjkzZjE2--67046ba78aa6d656ec7c64e73aac156f5e503627".split('--').first))
=> {:foobar=>2, :session_id=>"b394a4ad4852964c6455378e34b93f16"}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
