Authorization by Laravel cookies

My application uses Laravel/Fortify package, guarded by web/session/memcached. I want to add golang-powered websocket server in my app. And I need to authorize users. As I understand I can use cookies saved by Laravel. This is decrypted cookies (I think I can decrypt it in golang module with env:APP_KEY)

  "cookies": {
    "parameters": {
      "XSRF-TOKEN": "<xsrf_token>",
      "<app_name>_session": "<session>"
    }
  }

This is record from memcached:

    "key" => "<cache_prefix>:<session>"
    "value" => "a:5:{
        s:6:"_token";s:40:"<xsrf_token>";
        s:6:"_flash";a:2:{s:3:"old";a:0:{}s:3:"new";a:0:{}}
        s:9:"_previous";a:1:{s:3:"url";s:16:"http://localhost";}
        s:3:"url";a:0:{}
        s:50:"login_web_[0-9a-f]";i:<user_id>;
    }"

So, in golang I decrypt cookies, read from memcached session record, check xsrf_token and I have <user_id> by key login_web_<[0-9a-f]+>? What mean hex numbers after 'login_web_'? Do I need to check it to use authorization correctly and safely?

Thanks.

adic3x

2 years ago

Best Answer

Level 1

Solved:

'login_web_59ba36addc2b2f9401580f014c7f58ea4e30989d' = login_web_ + sha1('Illuminate\Auth\SessionGuard').

Added:

I was able to verify the user this way. I'm use code from vendor\laravel\framework\src\Illuminate\Encryption\Encrypter.php decrypt to decrypt Laravel's cookies and vendor\laravel\framework\src\Illuminate\Cookie\CookieValuePrefix.php to process cookie prefix.

Please or to participate in this conversation.