A simple script to decode Rails 4 session cookies

decode_session_cookie.rb

# decode_session_cookie.rb
# ------------------------
# The purpose of this script is to show that if I have the secret_key_base
# and a cookie to an active Rails session, I can decrypt it and gain access
# to key information about the user's session.

require 'rubygems'
require 'cgi'
require 'active_support'

def decrypt_session_cookie(cookie, key)
  cookie = CGI::unescape(cookie)
  
  # Default values for Rails 4 apps
  key_iter_num = 1000
  key_size     = 64
  salt         = "encrypted cookie"         
  signed_salt  = "signed encrypted cookie"  

  key_generator = ActiveSupport::KeyGenerator.new(key, iterations: key_iter_num)
  secret = key_generator.generate_key(salt)
  sign_secret = key_generator.generate_key(signed_salt)

  encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
  puts encryptor.decrypt_and_verify(cookie)
end


# Time to test ... (With data from Arbeit327)
cookie = 'WVFQVTFtbmNxWWJPODZNb3NUMVZzZGtDVjZQNXpMYStFMWdiZlJPMkdjRFRBOGZ5T3pOTzBPKzk3NWxvQUJvTlRRU2t4MXZmdG8rT0I0R2M3Ulh0YXpxRVhNMll5UW1xUHhvVXBLbXozZ3ZyNjB4VDU4dWRIUkxBWjBXbDJhci93YkYrZWswUHdFL0hUNDJaUHo2cEpxbXFvdlFZMjJWVU9KTWhHb3NyalFwTkphd0pUQVZSTXRHbkVqRlFnSGpNVTNFQlVxYlRmT3pWbXNjK0JuQ3FydzQvODRhbmtuU29haGNRbXQ4T3o1ZjhqMk53WTRMa0pVd1hPb2NHTVFQY3dvanE2ZElqUk1Mc21HS0k2SHVuZEZ3OWhjdzZPQnRSMEdVVkQwL2IxSVh5QzNSWVlJZms5c1JJV0lzUE1Zb1NHbEtqYm5nTGRKd1ZSdGpOQ1RZZWthR1A2anRFMEluaTcyWTNaNHJBR1N0dklzMkg1RjVmVmY4azEzV3o0N2Z2LS1wQlowRUZ6cjI3SVFQU0F5bGlYSDNnPT0%3D--19650cc5c3e2599fb43b7235ab4de5a1ce8a46ac'
key = 'aeb977de013ade650b97e0aa5246813591104017871a7753fe186e9634c9129b367306606878985c759ca4fddd17d955207011bb855ef01ed414398b4ac8317b'

decrypt_session_cookie(cookie, key)

# RESULT SHOULD BE:
# {"session_id"=>"ed15f10de5708322d240eca41b7bbcd0", "_csrf_token"=>"yJK0VWRE6ykxOTnllfMt6pZE7SBhXgfZSQS2Fft0l8w=", 
#  "user_id"=>1, "project_ids"=>[1, 2, 3, 4], "role"=>"admin"}

I'm getting ActiveSupport::MessageVerifier::InvalidSignature exception.
What can be the reason?

Until a few days ago it was working fine for me, but today I also started to get that exception. It might have been related to a Rails upgrade we did recently (we're now using 4.2.3).

Eventually I figured what changes were needed to make the script work again, and the result is here https://gist.github.com/pdfrod/9c3b6b6f9aa1dc4726a5

I was trying this with Rails 5.0.2 and I needed to trim the secret to be 32 bytes (https://gist.github.com/profh/e36e5dd0bec124fef04c#file-decode_session_cookie-rb-L21).
secret = key_generator.generate_key(salt)[0, 32]

The example cookie and key works fine, but my development cookie and key doesn't work properly (cause ActiveSupport::MessageVerifier::InvalidSignature or ActiveSupport::MessageVerifier::InvalidMessage).

My cookie separates into two like the following.

Cookie: _session_id=ImVhOWYwNzRhNzE0NmNkNTY3MTllNTk1NDYwOGQxNjA0Ig%3D%3D--7ea05fd744c8920020f6b4ee1580f3b9a3a8f8c6; _testapp_session=ZEZkOFhjSEhZT0FqZW52aFhUaE01eE5aY21jSU5XbVhhWTdtT0NqdkhZQ0lBWElsSC9KNEsrZFFQK0ZBczB0UmpiaWlSbnBycDFDRzFDWklPWFlJYmlOR0xaS1JuNk9uM29OUHlCOHpSa0VYckkyRmtQeFFpVE5MdVBtUFdIc29Ed0ExcE5mcEl6d2RKK3Qzb2tpSTJjaS9GZGh6bStvb0pqM3UxRmVCdFJoQ3N2alBTTWVYSHkxTDZVVjZ1bmZDcXA1OE53SURGbzJnaDNlWlVLdjBBbnN2eUlPcS8rT1N3WTRldkJaSkE2YmxGT1htTC9rVkVYbWZqWW1NcENvS1gvT2M3eVRlVklOWlpOZzJ0Q1dHb3c9PS0tNXI3bUpwSE1pK3lwdlIzQ2dhN3hjdz09--8eeb9117481adeb1d307a42bef8e81e6f3da0790

How do I decrypt this cookie?

I mocked Rails behavior from ActionDispatch::Cookies:

env = {
  "action_dispatch.signed_cookie_salt" => Rails.application.config.action_dispatch.signed_cookie_salt,
  "action_dispatch.encrypted_cookie_salt" => Rails.application.config.action_dispatch.encrypted_cookie_salt,
  "action_dispatch.encrypted_signed_cookie_salt" => Rails.application.config.action_dispatch.encrypted_signed_cookie_salt,
  "action_dispatch.secret_key_base" => Rails.application.secrets.secret_key_base,
  "action_dispatch.cookies_serializer" => Rails.application.config.action_dispatch.cookies_serializer,
  "action_dispatch.key_generator" => Rails.application.key_generator
}
mock_request = OpenStruct.new
mock_request.env = env
mock_request.cookies = cookies # should be a hash
jar = ActionDispatch::Cookies::CookieJar.build(mock_request)
app_cookies_key = Rails.application.config.session_options[:key]
jar.encrypted[app_cookies_key]