Given the session key and secret, how can we decrypt cookie-based sessions?

Hello all. I've got a question about how Rails handles cookie encryption/decryption.

I've got this in my config/environment.rb

  config.action_controller.session = {     :session_key => [some key],     :secret => [some secret]   }

And this in config/environment/production.rb et al.:

  ActionController::Base.session_options[:session_domain] = [some domain]

So far, so good -- as long as all my Rails apps have the same session_key and secret, and are on the same domain, they can all use that same cookie.

However, a colleague now has a JSP application (on the same domain), with which he'd like to read the cookies I have set.

So, given a secret and an encrypted cookie value, how would we decrypt it to get the contents of that cookie?

(The docs seem to indicate this is one-way SHA1 encryption by default -- http://caboo.se/doc/classes/CGI/Session/CookieStore.html -- but then how would my Rails applications read the contents of a cookie that is one-way encrypted?)

Thanks in advance for any tips/pointers/insight, Joe

So, given a secret and an encrypted cookie value, how would we decrypt it to get the contents of that cookie?

(The docs seem to indicate this is one-way SHA1 encryption by default --http://caboo.se/doc/classes/CGI/Session/CookieStore.html-- but then how would my Rails applications read the contents of a cookie that is one-way encrypted?)

session cookies aren't encrypted (there is a cryptographic signature to prevent tampering but the data isn't encrypted).

The data is a base 64 encoded marshaled ruby object. in ruby it is dead easy : strip off the signature (including and after the --) and do Marshal.load(ActiveSupport::Base64.decode64(blob_of_data)). You would probably need to reimplement part of ruby's marshalling algorithm to decode the data (the marshal format is documented)

Fred.