Cf_session_data stored in datasource is now encrypted/encoded?

Juan_Aguilar · October 5, 2017, 7:38pm

For long-standing reasons having to do with session rotation not working in a clustered environment that uses a datasource for session storage, we are forced to read the data field from the cf_session_data table based on a cfid value.

After upgrading to Lucee 5.2.3.35, we found that the data stored in that field is encrypted. Is it possible to decrypt this data?

EDIT: It’s also possible that the data is Base64 encoded, but simply converting it toBinary and then toString doesn’t work. It used to be a struct. Is it a Java object now?

Juan_Aguilar · October 5, 2017, 9:43pm

This leads me somewhere but I’m not sure where to go from here:

<cfquery name="getSession">
SELECT data FROM cf_session_data WHERE cfid='#session.cfid#'
</cfquery>

<cfset result.b64DataValue = getSession.data />
<cfset result.binDataValue = toBinary( result.b64DataValue ) />

<cfdump var="#result#">

<cffunction name="BinaryToObject"> 
<cfargument name="bytes"> 
<cfscript> 
var bs = CreateObject("java","java.io.ByteArrayInputStream").init(bytes); 
var inStream = CreateObject("java","java.io.ObjectInputStream").init(bs); 
var obj = inStream.readObject(); 
inStream.close(); 
return obj; 
</cfscript> 
</cffunction>

<cfset objDataValue = BinaryToObject( result.binDataValue ) />
<cfdump var="#objDataValue#">

EDIT: Same result, simpler code:

<cfdump var="#ObjectLoad( result.binDataValue )#">

ddspringle · October 6, 2017, 3:49pm

I believe, if my memory serves me correctly, that the session data is now serialized in 5.x.x (can’t remember which version introduced it, just remember reading it somewhere). Try:

<cfset result = deserialize( getSession.data ) />

I think that ought to do it.

HTH

– Denny

bro · November 9, 2020, 4:05pm

<cfdump var="#unserializeJAva(getSession.data).getValue()#" abort>