gpt4 book ai didi

ruby-on-rails - 如何手动解密 Rails 5 session cookie?

转载 作者:行者123 更新时间:2023-12-04 04:39:29 25 4
gpt4 key购买 nike

我可以访问

  • config.action_dispatch.encrypted_cookie_salt
  • config.action_dispatch.encrypted_signed_cookie_salt
  • secrets.secret_key_base
  • 完整的 cookie 字符串(包括 --)

  • 我在 Rails 4 ( Rails 4: How to decrypt rails 4 session cookie (Given the session key and secret) ) 中看到了这样做的方法,但这些在 Rails 5 中似乎不起作用。

    最佳答案

    前几天我遇到了同样的问题,并发现生成的 key 长度为 64 字节(在我的 Mac 上),但 Rails 确保 key 长度为 32 字节( source )。

    这对我有用:

    require 'cgi'
    require 'json'
    require 'active_support'

    def verify_and_decrypt_session_cookie(cookie, secret_key_base)



    cookie = CGI::unescape(cookie)
    salt = 'encrypted cookie'
    signed_salt = 'signed encrypted cookie'
    key_generator = ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)
    secret = key_generator.generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len]
    sign_secret = key_generator.generate_key(signed_salt)
    encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, serializer: JSON)

    encryptor.decrypt_and_verify(cookie)
    end

    或者没有 ActiveSupport :
    require 'openssl'
    require 'base64'
    require 'cgi'
    require 'json'

    def verify_and_decrypt_session_cookie(cookie, secret_key_base)
    cookie = CGI.unescape(cookie)

    #################
    # generate keys #
    #################
    encrypted_cookie_salt = 'encrypted cookie' # default: Rails.application.config.action_dispatch.encrypted_cookie_salt
    encrypted_signed_cookie_salt = 'signed encrypted cookie' # default: Rails.application.config.action_dispatch.encrypted_signed_cookie_salt
    iterations = 1000
    key_size = 64
    secret = OpenSSL::PKCS5.pbkdf2_hmac_sha1(secret_key_base, encrypted_cookie_salt, iterations, key_size)[0, OpenSSL::Cipher.new('aes-256-cbc').key_len]
    sign_secret = OpenSSL::PKCS5.pbkdf2_hmac_sha1(secret_key_base, encrypted_signed_cookie_salt, iterations, key_size)

    ##########
    # Verify #
    ##########
    data, digest = cookie.split('--')
    raise 'invalid message' unless digest == OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, sign_secret, data)
    # you better use secure compare instead of `==` to prevent time based attact,
    # ref: ActiveSupport::SecurityUtils.secure_compare

    ###########
    # Decrypt #
    ###########
    encrypted_message = Base64.strict_decode64(data)
    encrypted_data, iv = encrypted_message.split('--').map{|v| Base64.strict_decode64(v) }
    cipher = OpenSSL::Cipher.new('aes-256-cbc')
    cipher.decrypt
    cipher.key = secret
    cipher.iv = iv
    decrypted_data = cipher.update(encrypted_data)
    decrypted_data << cipher.final

    JSON.load(decrypted_data)
    end

    随意评论要点: https://gist.github.com/mbyczkowski/34fb691b4d7a100c32148705f244d028

    关于ruby-on-rails - 如何手动解密 Rails 5 session cookie?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41474176/

    25 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com