Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to decrypt cookie?

I've just caught a crash reported on sentry, I am trying to debug and see the root cause for the problem.

Luckily, in the cookies panel, I can see the laravel_session value that was used while crash happened.

The question, is, how can decrypt the cookie?

like image 775
Mohammad AL-Raoosh Avatar asked Aug 29 '17 07:08

Mohammad AL-Raoosh


People also ask

How do I decrypt cookie content?

Decrypt the cookie and check the digest: Decrypt de key of the cookie: do Base64 decoding, then decrypt it using your institution's private RSA key. Decrypt the data using the decrypted AES key. Check the digest using secutix public certificate. The following example in java will show you how to proceed.

What is an encrypted cookie?

Encrypted Cookies This adds a layer of protection since the browser client can't decrypt the data. This makes it so that HTTP cookies are meaningful only to the back-end application. Server-side encryption adds more protection because the client can't sniff the cookies.

Are cookie files encrypted?

A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS). They cannot be transmitted over unencrypted connections (i.e. HTTP).


Video Answer


2 Answers

You can decrypt the cookie with the following code:

    $cookie = 'eyJpdiI6ImFUQ0FvMWFSVlNvTmhlQjdLWGw1Z1E9PSIsInZhbHVlIjoicFh6Q09iTDl0K0huWU1Nc1NYVmxSY2hPRGU5Vk85dDJyYUpRbUVjRWg5R0JxYkVobkF3YkZVcVQrakFFUmxaVnZrTjFST3F3RTZ4akpDZEpvUFJiQXc9PSIsIm1hYyI6IjlhYmJhMTY3MWMxYWI3YjJmNmFjMmNkZWE0MWZmMmVhNTNiMjI5ZWY3NzUwNzQ0ZjAzMGQ1ZGU0YzVhNjJmZGYifQ==';
    $cookie_contents = json_decode( base64_decode( $cookie, true ));
    $value = base64_decode( $cookie_contents->value );
    $iv = base64_decode( $cookie_contents->iv );
    $clear = unserialize( \openssl_decrypt($value, \Config::get( 'app.cipher' ), \Config::get( 'app.key' ), OPENSSL_RAW_DATA, $iv));
    echo "Cookie contents (Session ID): $clear\n";

You should end up with a session ID that looks something like this:

  • Laravel 5.1: 55782b00dbfcc3f848585ac2cefc66802d773cf5
  • Laravel 5.4: yPjeV74joY4MtMNNtTpeOYBP2CMixJBBChc9HRND

I didn't test with Laravel 5.3, but I'm confident it will work.

When using this code, make sure you paste the entire contents of the cookie into the $cookie variable, including the two equals signs at the end.

like image 87
JamesG Avatar answered Oct 20 '22 06:10

JamesG


For laravel 6 I think it's pretty much the same

$base64_key = "base64:ISAcSPwQ0HDqqLygaS9LyPzs5ZujMAKOjBou+gyz9sw=";
$payload = json_decode(base64_decode($_COOKIE["your_cookie_name"]), true);
$iv = base64_decode($payload['iv']);
$key = base64_decode(substr($base64_key, 7));
$sessionId = openssl_decrypt($payload['value'],  'AES-256-CBC', $key, 0, $iv);

echo "Session Id: $sessionId";

But check few things:

  • Cipher encoding, mine is 'AES-256-CBC', it can be 'AES-128-CBC' if your key length is 16
  • Key format, mine start with "base64:" so I have to remove this part first
like image 25
Jean-Roch B. Avatar answered Oct 20 '22 05:10

Jean-Roch B.