Cf_session_data stored in datasource is now encrypted/encoded?


For long-standing reasons having to do with session rotation not working in a clustered environment that uses a datasource for session storage, we are forced to read the data field from the cf_session_data table based on a cfid value.

After upgrading to Lucee, we found that the data stored in that field is encrypted. Is it possible to decrypt this data?

EDIT: It’s also possible that the data is Base64 encoded, but simply converting it toBinary and then toString doesn’t work. It used to be a struct. Is it a Java object now?


This leads me somewhere but I’m not sure where to go from here:

<cfquery name="getSession">
SELECT data FROM cf_session_data WHERE cfid='#session.cfid#'

<cfset result.b64DataValue = />
<cfset result.binDataValue = toBinary( result.b64DataValue ) />

<cfdump var="#result#">

<cffunction name="BinaryToObject"> 
<cfargument name="bytes"> 
var bs = CreateObject("java","").init(bytes); 
var inStream = CreateObject("java","").init(bs); 
var obj = inStream.readObject(); 
return obj; 

<cfset objDataValue = BinaryToObject( result.binDataValue ) />
<cfdump var="#objDataValue#">

EDIT: Same result, simpler code:

<cfdump var="#ObjectLoad( result.binDataValue )#">


I believe, if my memory serves me correctly, that the session data is now serialized in 5.x.x (can’t remember which version introduced it, just remember reading it somewhere). Try:

<cfset result = deserialize( ) />

I think that ought to do it.


– Denny