如何解密签名的cookie
How to decrypt signed cookies
我正在尝试解密已签名的 cookie,但没有成功。
我在我的会话控制器中使用签名 cookie 的方式是这样的
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by_email(params[:email])
if user && user.authenticate(params[:password])
if params[:remember_me]
cookies.signed[:auth_token] = { value: user.auth_token, expires: 2.weeks.from_now }
else
cookies.signed[:auth_token] = user.auth_token
end
redirect_to root_url, notice: "Logged in!"
else
flash.now.alert = "Email or password is invalid"
render :new
end
end
def destroy
cookies.delete(:auth_token)
redirect_to root_url, notice: 'Logged Out'
end
end
现在在应用程序控制器端,我正在尝试解密它
require 'cgi'
require 'active_support'
class ApplicationController < ActionController::Base
protect_from_forgery
def current_user
@current_user ||= User.find_by(auth_token: verify_and_decrypt)
end
def verify_and_decrypt
config = Rails.application.config
cookie = CGI::unescape(cookies[:auth_token])
salt = config.action_dispatch.authenticated_encrypted_cookie_salt
encrypted_cookie_cipher = config.action_dispatch.encrypted_cookie_cipher || 'aes-256-gcm'
serializer = ActiveSupport::MessageEncryptor::NullSerializer
key_generator = ActiveSupport::KeyGenerator.new(Rails.application.secret_key_base, iterations: 1000)
key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher)
secret = key_generator.generate_key(salt, key_len)
encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: serializer)
cookie = encryptor.decrypt_and_verify(cookie)
cookie
end
end
但是每次都在这一行失败 cookie = encryptor.decrypt_and_verify(cookie)
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
from /home/anikettiwari/.rvm/gems/ruby-2.5.3/gems/activesupport-5.2.4.1/lib/active_support/message_encryptor.rb:190:in `_decrypt'
谁能告诉我我做错了什么
为了参考,我检查了这个 link
您可以通过标准 rails 界面读取 cookie:value = cookies.signed[:auth_token]
至于为什么你的解密器不起作用 - 你生成了新的加密盐,但要解密一个应该使用与加密过程中使用的盐相同的盐。
另请记住,已签名的 cookie 并未完全加密 - 它们只是防止篡改,但可以被用户读取
我正在尝试解密已签名的 cookie,但没有成功。
我在我的会话控制器中使用签名 cookie 的方式是这样的
class SessionsController < ApplicationController
def new
end
def create
user = User.find_by_email(params[:email])
if user && user.authenticate(params[:password])
if params[:remember_me]
cookies.signed[:auth_token] = { value: user.auth_token, expires: 2.weeks.from_now }
else
cookies.signed[:auth_token] = user.auth_token
end
redirect_to root_url, notice: "Logged in!"
else
flash.now.alert = "Email or password is invalid"
render :new
end
end
def destroy
cookies.delete(:auth_token)
redirect_to root_url, notice: 'Logged Out'
end
end
现在在应用程序控制器端,我正在尝试解密它
require 'cgi'
require 'active_support'
class ApplicationController < ActionController::Base
protect_from_forgery
def current_user
@current_user ||= User.find_by(auth_token: verify_and_decrypt)
end
def verify_and_decrypt
config = Rails.application.config
cookie = CGI::unescape(cookies[:auth_token])
salt = config.action_dispatch.authenticated_encrypted_cookie_salt
encrypted_cookie_cipher = config.action_dispatch.encrypted_cookie_cipher || 'aes-256-gcm'
serializer = ActiveSupport::MessageEncryptor::NullSerializer
key_generator = ActiveSupport::KeyGenerator.new(Rails.application.secret_key_base, iterations: 1000)
key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher)
secret = key_generator.generate_key(salt, key_len)
encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: serializer)
cookie = encryptor.decrypt_and_verify(cookie)
cookie
end
end
但是每次都在这一行失败 cookie = encryptor.decrypt_and_verify(cookie)
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
from /home/anikettiwari/.rvm/gems/ruby-2.5.3/gems/activesupport-5.2.4.1/lib/active_support/message_encryptor.rb:190:in `_decrypt'
谁能告诉我我做错了什么
为了参考,我检查了这个 link
您可以通过标准 rails 界面读取 cookie:value = cookies.signed[:auth_token]
至于为什么你的解密器不起作用 - 你生成了新的加密盐,但要解密一个应该使用与加密过程中使用的盐相同的盐。
另请记住,已签名的 cookie 并未完全加密 - 它们只是防止篡改,但可以被用户读取