Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding & Sharing Rails sessions

Understanding & Sharing Rails sessions

Understand how Rails sessions work, the crypto applied, the risks if you are using a version of Rails older than 4.1 and learn how to share the session with apps in other languages.

Matt Aimonetti

September 13, 2014
Tweet

More Decks by Matt Aimonetti

Other Decks in Programming

Transcript

  1. Matt Aimonetti Splice: Go, Ruby, JS, Obj-C, C#, C++, C

    Matt Aimonetti - splice.com - @mattetti
  2. The events depicted in this presentation took place in California

    in 2014. ! At the request of the survivors, the names have been changed. Out of respect for the dead, the rest has been told exactly as it occurred.
  3. Abe

  4. {}

  5. verifier = ActiveSupport::MessageVerifier. new(derived_secret) ! msg = { user: "Matt",

    role: "villain"} ! signed_message = verifier.generate(msg) ! # => "BAh7BzoKd2hlcmVJIg5CYXJjZWxvbmEGOgZFVDoJd 2hhdEkiC0JhcnVjbwY7BlQ=-- ad7af07ad5b384d458b7cf8a962c04fc53ed81d1"
  6. crypt_secret = key_generator.generate_key( "signed encrypted cookie") ! encryptor = ActiveSupport::MessageEncryptor.new(

    secret, crypt_secret) ! message = encryptor. encrypt_and_sign({msg: "hello world"}) ! encryptor.decrypt_and_verify(message) # => {:msg => "hello world"}
  7. Eve

  8. type Person struct { Id int `json:"id"` FirstName string `json:”first_name"`

    LastName string `json:”last_name"` Age int `json:"age"` } ! ! john := Person{Id: 12, FirstName: "John", LastName: "Doe", Age: 42}
  9. kg := KeyGenerator{Secret: railsSecret} ! // derived keys secret :=

    kg.CacheGenerate(cookieSalt, 32) signSecret := kg.CacheGenerate(signedCookieSalt, 64) ! e := MessageEncryptor{ Key: secret, SignKey: signSecret}
  10. /* john := Person{Id: 12, FirstName: "John", LastName: "Doe", Age:

    42} */ ! msg, err = e.EncryptAndSign(john) if err != nil { log.Fatal(err) }
  11. // decrypting the person object contained in //the session var

    sessionContent Person err = e.DecryptAndVerify(msg, &sessionContent) if err != nil { log.Fatal(err) } // Person{Id:12, FirstName:"John", // LastName:”Doe”, Age:42}