Hi!
I believe this is the Play framework signing the entire cookie.
The relevant code looks like:
/**
* Signs the given String with HMAC-SHA1 using the application’s secret key.
*
* By default this uses the platform default JSSE provider. This
can be overridden by defining
* `application.crypto.provider` in `application.conf`.
*
* @param message The message to sign.
* @return A hexadecimal encoded signature.
*/
def sign(message: String): String = {
secret.map(secret => sign(message, secret.getBytes("utf-8"))).getOrElse {
throw new PlayException("Configuration error", "Missing
application.secret")
}
}
/**
* Signs the given String with HMAC-SHA1 using the given key.
*
* By default this uses the platform default JSSE provider. This
can be overridden by defining
* `application.crypto.provider` in `application.conf`.
*
* @param message The message to sign.
* @param key The private key to sign with.
* @return A hexadecimal encoded signature.
*/
def sign(message: String, key: Array[Byte]): String = {
val mac = provider.map(p => Mac.getInstance("HmacSHA1",
p)).getOrElse(Mac.getInstance("HmacSHA1"))
mac.init(new SecretKeySpec(key, "HmacSHA1"))
Codecs.toHexString(mac.doFinal(message.getBytes("utf-8")))
}
So you should be able to take the application.secret, use that as the
HmacSHA1 secret, sign the entire cookie value (incl. the cookie name
and '=') and prepend the sha + '-'.
What I couldn't find the code for right away is how the cookie value
is generated if it is a map. But I think that's not relevant here.
Hope that helps!
Kay
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
