1

I have a rails website, how do I write a program to decrypt a webpage's cookies in JAVA?

For example, I have the cookies from my rails webpage:
issp_session=BAh7CEkiD3Nlc3Npb25faWQGOgZFRkkiJWVhODhhYmMyMjgwNDA2M2NkNjI2ZjE5MWM5ZjVkYzlkBjsAVEkiFmFjY291bnRfcmV0dXJuX3RvBjsARiIGL0kiEF9jc3JmX3Rva2VuBjsARkkiMTJpOUszQmFablpnSkJvYW5JaFk5dWdWWGFWV3M2K0dTNXVwcFhZbzkxWFU9BjsARg%3D%3D--7f3a5f578c9199ed11d44f0deb842dde9e267e8b

I know BAh7CEkiD3Nlc3Npb25faWQGOgZFRkkiJWVhODhhYmMyMjgwNDA2M2NkNjI2ZjE5MWM5ZjVkYzlkBjsAVEkiFmFjY291bnRfcmV0dXJuX3RvBjsARiIGL0kiEF9jc3JmX3Rva2VuBjsARkkiMTJpOUszQmFablpnSkJvYW5JaFk5dWdWWGFWV3M2K0dTNXVwcFhZbzkxWFU9BjsARg%3D%3D--7f3a5f578c9199ed11d44f0deb842dde9e267e8b is the cookies that has been encoded and 7f3a5f578c9199ed11d44f0deb842dde9e267e8b is the key of this cookies.

So my question is how do I write a program to actually decrypt this cookies?

user3200976
  • 21
  • 1
  • 5

2 Answers2

0

First, you should look for libraries to decode base64 encoding to get the binary data.

If your application is configured correctly, however, you shouldn't be able to deduce any meaningful data. The application uses XSRF cookies that are HMAC-signed and sometimes also encrypted.

Uli Köhler
  • 13,012
  • 16
  • 70
  • 120
  • What can I do after I get the binary data? – user3200976 Jan 23 '14 at 20:14
  • The binary data is not really useful as-is (because it's encrypted). What do you intend to do with it? – Uli Köhler Jan 23 '14 at 20:20
  • I want to decrypt the cookies so every time I get to this webpage then my application knows :"Oh, this is the webpage that I am looking for!" So then I could do something else. – user3200976 Jan 23 '14 at 20:33
  • Why don't you just add another cleartext cookie (e.g. with the application name)? To my knowledge what you intend to do isn't possible with session cookies, especially not if your application needs to be secure. – Uli Köhler Jan 23 '14 at 20:38
0

You should find out the algorithm used to encrypt/decrypt the cookie that Rails uses and then translate that to Java.

A while back, I have provided the answer for How to decrypt a Rails 5 session cookie manually? and used my Ruby implementation to translate that to Lua (my gist), so I could decrypt Rails session cookie in Nginx.

matb
  • 851
  • 13
  • 23