For long-standing reasons having to do with session rotation not working in a clustered environment that uses a datasource for session storage, we are forced to read the data field from the cf_session_data table based on a cfid value.
After upgrading to Lucee 220.127.116.11, we found that the data stored in that field is encrypted. Is it possible to decrypt this data?
EDIT: It’s also possible that the data is Base64 encoded, but simply converting it toBinary and then toString doesn’t work. It used to be a struct. Is it a Java object now?
This leads me somewhere but I’m not sure where to go from here:
SELECT data FROM cf_session_data WHERE cfid='#session.cfid#'
<cfset result.b64DataValue = getSession.data />
<cfset result.binDataValue = toBinary( result.b64DataValue ) />
var bs = CreateObject("java","java.io.ByteArrayInputStream").init(bytes);
var inStream = CreateObject("java","java.io.ObjectInputStream").init(bs);
var obj = inStream.readObject();
<cfset objDataValue = BinaryToObject( result.binDataValue ) />
EDIT: Same result, simpler code:
<cfdump var="#ObjectLoad( result.binDataValue )#">
I believe, if my memory serves me correctly, that the session data is now serialized in 5.x.x (can’t remember which version introduced it, just remember reading it somewhere). Try:
<cfset result = deserialize( getSession.data ) />
I think that ought to do it.
<cfdump var="#unserializeJAva(getSession.data).getValue()#" abort>