rails-cookies-everywhere / rails-cookies-rust

Rails cookie parser written in Rust
MIT License
0 stars 0 forks source link

Rails 5 cookies cannot be decoded/parsed. #1

Open endoze opened 2 weeks ago

endoze commented 2 weeks ago

When trying this crate out with rails 5 sessions, it's unable to currently parse them. While newer versions of rails send sessions in the format of cipher_text--iv--auth_tag, Rails 5 does it a bit different. They encode it more like this: cipher_and_iv_base64_encoded--auth_tag. You need to base64 decode the first part to get ahold of the actual cipher_text and iv.

In your code, it assumes that a session is always in three parts instead of 2 like it is in the case of rails 5 sessions. For a working and fairly robust implementation, I'd look at the message_verifier crate. While working on an Axum extractor for rails session data, I came across both your crate and the aforementioned one as viable implementations. Just thought I'd share my findings and I hope this information can be of some use to you.

endoze commented 2 weeks ago

If you're interested, I published my Axum extractor which can be used with loco.