Decoding the Session Cookie: Rails 2.x

Posted: July 19, 2010. Tags: Rails

Here's how you can see what is inside your Rails session cookie.

A word of caution about coping cookies our of browsers: If you're coping your cookie out of the Google Chrome Resources -> Cookies page, make sure you triple-click the cookie value before copying it (right-click and select Copy or Cmd-C on Mac OS X). If you just right click it and select Copy, it will only select the first "word" and you'll miss some necessary junk at the end of the cookie. Safari's Resources -> Cookies page has a "Copy Row" that is immune to this problem.

cookie = "string-copied-from-browser--with_signature"
Marshal.load(Base64.decode64(CGI.unescape(cookie.split("\n").join).split('--').first))

As found here.

Update: you can dump your session and verify your session signature using:

secret = "your session secret" # from config/initializers/session_store.rb
verifier = ActiveSupport::MessageVerifier.new(secret)
signed_message = CGI.unescape(cookie.split("\n").join
verifier.verify(signed_message)