Loading Rails Cookie Decryptor...
Decrypt Rails 5.2+ AES-256-GCM encrypted cookies and sessions using your secret_key_base. Runs entirely in your browser.
Ruby on Rails encrypts session cookies with ActiveSupport::MessageEncryptor. Since Rails 5.2 the default is AES-256-GCM, with the key derived from your application's secret_key_base. This tool reproduces that decryption locally: paste an encrypted cookie plus your secret_key_base and it recovers the session payload in your browser, for debugging, forensics and authorized recovery on applications you control.
Input:
data--iv--tag + secret_key_base
Output:
{"session_id":"...","_csrf_token":"..."}Where is secret_key_base?
In config/credentials.yml.enc (decrypted with your master key) or the SECRET_KEY_BASE environment variable for the target Rails environment.
Which Rails versions work?
Rails 5.2 and later, which default to AES-256-GCM encrypted cookies. Adjust the salt and iterations for apps that override the defaults.
Why does decryption fail?
A wrong secret_key_base, salt or iteration count, or a non-GCM (legacy CBC) cookie. GCM decryption is authenticated, so any mismatch fails cleanly.
Is anything uploaded?
No. The cookie and secret_key_base are processed entirely in your browser using the Web Crypto API.
Decrypt Rails 5.2+ AES-256-GCM encrypted cookies using your secret_key_base. Everything runs in your browser - nothing is uploaded.
Rails derives the AES-256-GCM key from secret_key_base with ActiveSupport::KeyGenerator (PBKDF2-HMAC-SHA1, 1000 iterations, salt "authenticated encrypted cookie"). The cookie is a URL-encoded string of three base64 parts joined by "--": ciphertext, IV and the GCM auth tag. Older apps may use a different salt or iteration count - adjust the fields above.