RailsCompatibleCookiesUtils - Utility methods to deal with cookies managed by a Rails app
This is a Ruby-only (2.0 or later) implementation of utility methods to manage cookies generated by a Rails app. It doesn't depend on any external gems.
Just tell RailsCompatibleCookiesUtils the Rails app secret key and it will be able to handle signed and encrypted cookies (it can both read and write those values).
This is useful if you intend to share your cookies (or session) among different Ruby web applications (they could be even running in the same domain behind a proxy for example) when at least one of the applications is not a Rails one.
Or you could use this if you are switching from Rails to another Ruby web framework and want to deal with old valid sessions after deploying (either if it's a temporary strategy or you want to keep this encrypting and signing algorithms permanently).
Installation
Add this line to your application's Gemfile:
gem 'rails_compatible_cookies_utils'
And then execute:
$ bundle
Or install it yourself as:
$ gem install rails_compatible_cookies_utils
Usage
You may test the following examples in a REPL with bin/console.
Initialization
Creating an instance using the default serializer in Rails 5 generated applications (JSON):
= RailsCompatibleCookiesUtils.new 'secret_key_base'
Usually you'll pass the Rails app secret_key_base (Rails.application.config.secret_key_base)
you want to share cookies with. You can also generate a Rails-like random secret key for other
purposes if you want:
secret_key_base = SecureRandom.hex 64
In previous Rails releases the default serializer was Marshal. If your app uses it, initialize it this way:
= RailsCompatibleCookiesUtils.new 'secret_key_base', serializer: Marshal
Thread-safety
An instance of RailsCompatibleCookiesUtils is not thread-safe, so ensure to create a new instance for each thread using such an instance or make the calls in within a mutex synchronized block.
Read an encrypted cookie value
This would be the equivalent of cookies.encrypted['_myapp_session']:
= env['HTTP_COOKIE'] # this would be considering a Rack app
. , '_myapp_session'
Or if you already have the parsed and unescaped cookie value:
value = .(env['HTTP_COOKIE'])['_myapp_session']
# you may actually get the value from somewhere else
.decrypt value
Write an encrypted value to the cookies
require 'cgi'
value = { test: true }
cookie = CGI::Cookie.new 'some_key', cookies_utils.encrypt value
# or using a framework helper:
# cookies['some_key'] = cookies_utils.encrypt value
cookies_utils.decrypt(cookies_utils.encrypt 'secret') == 'secret'
Signed only values
Rails also allows you to just sign a cookie value without encrypting it
(cookies.signed['key'] = 'value'). To verify and decode the value:
. env['HTTP_COOKIE'], 'some_key'
# or cookies_utils.verify_and_deserialize signed_serialized_value
Serialize and sign a cookie value with:
require 'cgi'
value = { test: true }
cookie = CGI::Cookie.new 'some_key', cookies_utils.serialize_and_sign value
# or using a framework helper:
# cookies['some_key'] = cookies_utils.serialize_and_sign value
cookies_utils.verify_and_deserialize(cookies_utils.serialize_and_sign 'secret') == 'secret'
Invalid values handling
If the value is invalid decrypt_cookie_key, decrypt, signed_cookie_key,
verify_and_deserialize and serialize_and_sign will all return nil. All of
them have a bang variant which will raise RailsCompatibleCookiesUtils::InvalidSignature
instead in those cases (like decrypt!).
Development
After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub.
License
The gem is available as open source under the terms of the MIT License.