{"id":988,"date":"2023-10-16T11:37:00","date_gmt":"2023-10-16T02:37:00","guid":{"rendered":"https:\/\/shinke1987.net\/?p=988"},"modified":"2023-10-15T01:39:12","modified_gmt":"2023-10-14T16:39:12","slug":"laravel%e3%81%a7%e3%81%ae%e6%9a%97%e5%8f%b7%e5%8c%96%e3%81%95%e3%82%8c%e3%81%9fcookie%e3%81%8b%e3%82%89%e3%82%bb%e3%83%83%e3%82%b7%e3%83%a7%e3%83%b3id%e7%ad%89%e3%82%92%e5%8f%96%e5%be%97","status":"publish","type":"post","link":"https:\/\/shinke1987.net\/?p=988","title":{"rendered":"Laravel\u3067\u306e\u6697\u53f7\u5316\u3055\u308c\u305fCookie\u304b\u3089\u30bb\u30c3\u30b7\u30e7\u30f3ID\u7b49\u3092\u53d6\u5f97"},"content":{"rendered":"\n<h2 id=\"toc0\" class=\"wp-block-heading\">\u53c2\u8003\u306b\u3057\u305f\u30da\u30fc\u30b8<\/h2>\n\n\n\n<p>\u203b \u3084\u3063\u3066\u308b\u3053\u3068\u306f\u4e0b\u8a18\u30b5\u30a4\u30c8\u3068\u5168\u304f\u540c\u3058\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/zenn.dev\/macloud\/articles\/929bbbaa66e728\">Laravel \u306e Cookie \u6697\u53f7\u5316\u306e\u4ed5\u7d44\u307f\u3092\u7406\u89e3\u3059\u308b<\/a><\/p>\n\n\n\n<h2 id=\"toc1\" class=\"wp-block-heading\">\u74b0\u5883<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Laravel Sail<br>Laravel\uff1a10.15.0<br>\u30bb\u30c3\u30b7\u30e7\u30f3\u30c9\u30e9\u30a4\u30d0\uff1afile<\/li>\n\n\n\n<li>PHP\uff1a8.2.8<\/li>\n<\/ul>\n\n\n\n<h2 id=\"toc2\" class=\"wp-block-heading\">\u7d50\u8ad6<\/h2>\n\n\n\n<p>\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3084CSRF\u30c8\u30fc\u30af\u30f3\u3092\u78ba\u8a8d\u3057\u305f\u3051\u308c\u3070\u3001<br>Chrome\u306e\u30c7\u30d9\u30ed\u30c3\u30d1\u30c4\u30fc\u30eb\u7b49\u3067\u30ec\u30b9\u30dd\u30f3\u30b9Cookie\u306e\u8a72\u5f53\u306e\u5024\u3092<br>\u6b21\u306e$originalCookieValue\u5909\u6570\u306b\u683c\u7d0d\u3057\u3001\u6b21\u306e\u30b3\u30fc\u30c9\u3092tinker\u3067\u5b9f\u884c\u3059\u308c\u3070\u826f\u3044\u3002<br>(app.key\u306e\u5024\u304c\u308f\u304b\u308c\u3070tinker\u3067\u306a\u304f\u3066\u3082\u826f\u3044)<br>(\u6697\u53f7\u5316\u65b9\u5f0f\u3092\u78ba\u8a8d\u3059\u308b\u306a\u3089config\/app.php\u306ecipher\u3092\u78ba\u8a8d\u3059\u308c\u3070\u826f\u3044)<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\n$originalCookieValue = &#039;\u30ec\u30b9\u30dd\u30f3\u30b9Cookie\u306e\u8a72\u5f53\u306e\u5024&#039;;\n$laravelSessionDecoded = base64_decode($originalCookieValue);\n$json = json_decode($laravelSessionDecoded);\n$ivDecoded = base64_decode($json-&gt;iv);\n$keyDecoded = base64_decode(substr(config(&#039;app.key&#039;), 7));\n$valueDecrypted = openssl_decrypt($json-&gt;value, &#039;aes-256-cbc&#039;, $keyDecoded, 0, $ivDecoded);\n$result = substr($valueDecrypted, strpos($valueDecrypted, &#039;|&#039;) + 1);\n<\/pre><\/div>\n\n\n<h2 id=\"toc3\" class=\"wp-block-heading\">\u8a73\u7d30<\/h2>\n\n\n\n<p>Laravel\u3067\u52d5\u3044\u3066\u3044\u308b\u30da\u30fc\u30b8\u306e\u3069\u3053\u304b\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001<br>laravel_session(\u30c7\u30d5\u30a9\u30eb\u30c8\u306a\u3089\u3053\u306e\u540d\u524d)\u3084XSRF-TOKEN\u306eCookie\u304c\u30bb\u30c3\u30c8\u3055\u308c\u308b\u3002<br>\u30bb\u30c3\u30c8\u3055\u308c\u308b\u3053\u3068\u3084\u305d\u306eCookie\u306e\u5024\u306fChrome\u306e\u30c7\u30d9\u30ed\u30c3\u30d1\u30fc\u30c4\u30fc\u30eb\u304b\u3089\u78ba\u8a8d\u3067\u304d\u308b(\u30ec\u30b9\u30dd\u30f3\u30b9Cookie)\u3002<\/p>\n\n\n\n<p>Laravel\u306e\u30bb\u30c3\u30b7\u30e7\u30f3ID\u3092\u78ba\u8a8d\u3059\u308b\u3002<br>Laravel\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u30c9\u30e9\u30a4\u30d0\u304cfile\u306e\u5834\u5408\u306f\u3001\u6b21\u306e\u30d5\u30a9\u30eb\u30c0\u5185\u3092\u78ba\u8a8d\u3059\u308b\u3002<br>(\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u30bb\u30c3\u30b7\u30e7\u30f3ID)<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\nstorage\/framework\/sessions\n<\/pre><\/div>\n\n\n<p>Laravel\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u30c9\u30e9\u30a4\u30d0\u304cdatabase\u306e\u5834\u5408\u306f\u3001sessions\u30c6\u30fc\u30d6\u30eb\u306eid\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/p>\n\n\n\n<p>\u30ec\u30b9\u30dd\u30f3\u30b9Cookie\u306e\u78ba\u8a8d\u3057\u305f\u3044Cookie\u306e\u5024\u304c\u6b21\u306e\u6587\u5b57\u5217\u3060\u3068\u3059\u308b\u3002(\u5f8c\u308d\u306e%3D\u306f\u306a\u304f\u3066\u3082\u7d50\u679c\u306f\u5909\u308f\u3089\u306a\u304b\u3063\u305f\u3002\u3082\u3057\u5b58\u5728\u3059\u308b\u306a\u3089URL\u30c7\u30b3\u30fc\u30c9\u304c\u5fc5\u8981\u3060\u3068\u601d\u308f\u308c\u308b)<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\neyJpdiI6IkV5ZlJReTJxeGFFRUUvM25kZXpJcXc9PSIsInZhbHVlIjoiK2ZLZ3lLVXRCeUFDTmt2RlN4ODRDdXJnS1pRVHhJQ3FKQ1N0Z2xBQXpiWkRRM0NFSUM2NWVKSUpFS0hVWHdPbnk0bXc4anBIem9NNDJhY3dZTzRwUVBhRUxwd0JMMjVvcXlkMzRLZ2Ntb3d6YkpKNE53M3RsUVZHUmRibzdPbEciLCJtYWMiOiIyYTYzZmViNzkyMjk1Njg0OWI3YjIzNWE3ZDQxYmViY2UzYjkzMjU1Nzk0MjZkZDIxODA0MzQxOTU0NTY1MTNlIiwidGFnIjoiIn0\n<\/pre><\/div>\n\n\n<p>Laravel\u306etinker\u3092\u8d77\u52d5\u3057\u3066\u3001\u4e0a\u306e\u7d50\u8ad6\u306b\u3042\u308b\u30b3\u30fc\u30c9\u3092\u6b21\u306e\u3088\u3046\u306b\u5b9f\u884c\u3059\u308b\u3002<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\n$originalCookieValue = &#039;\neyJpdiI6IkV5ZlJReTJxeGFFRUUvM25kZXpJcXc9PSIsInZhbHVlIjoiK2ZLZ3lLVXRCeUFDTmt2RlN4ODRDdXJnS1pRVHhJQ3FKQ1N0Z2xBQXpiWkRRM0NFSUM2NWVKSUpFS0hVWHdPbnk0bXc4anBIem9NNDJhY3dZTzRwUVBhRUxwd0JMMjVvcXlkMzRLZ2Ntb3d6YkpKNE53M3RsUVZHUmRibzdPbEciLCJtYWMiOiIyYTYzZmViNzkyMjk1Njg0OWI3YjIzNWE3ZDQxYmViY2UzYjkzMjU1Nzk0MjZkZDIxODA0MzQxOTU0NTY1MTNlIiwidGFnIjoiIn0\n&#039;;\n$laravelSessionDecoded = base64_decode($originalCookieValue);\n$json = json_decode($laravelSessionDecoded);\n$ivDecoded = base64_decode($json-&gt;iv);\n$keyDecoded = base64_decode(substr(config(&#039;app.key&#039;), 7));\n$valueDecrypted = openssl_decrypt($json-&gt;value, &#039;aes-256-cbc&#039;, $keyDecoded, 0, $ivDecoded); \n$result = substr($valueDecrypted, strpos($valueDecrypted, &#039;|&#039;) + 1);\n<\/pre><\/div>\n\n\n<p>\u6700\u5f8c\u306b$result\u306b\u683c\u7d0d\u3055\u308c\u305f\u6587\u5b57\u5217\u306f\u6b21\u306e\u901a\u308a\u3060\u3063\u305f\u3002<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\neSZNZ3PVi7DoMhS1keK7jXzMH1ZtWeRpQlTdqxza\n<\/pre><\/div>\n\n\n<p>\u6b21\u306b\u8a72\u5f53\u3059\u308b\u30bb\u30c3\u30b7\u30e7\u30f3ID\u304c\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308c\u3070\u826f\u3044\u3002<\/p>\n\n\n\n<p>CSRF\u30c8\u30fc\u30af\u30f3\u3092\u78ba\u8a8d\u3059\u308b\u306a\u3089\u3001XSRF-TOKEN\u306eCookie\u306e\u5024\u306b\u5bfe\u3057\u3066\u4e0a\u8a18\u306e\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308c\u3070\u826f\u3044\u3002<br>XSRF-TOKEN\u306e\u5024\u306f\u3001\u8a72\u5f53\u3059\u308b\u30bb\u30c3\u30b7\u30e7\u30f3\u5185\u306b_token\u3068\u3044\u3046\u540d\u524d\u3067\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u3002<\/p>\n\n\n\n<h2 id=\"toc4\" class=\"wp-block-heading\">\u4f59\u5206\u306a\u304a\u8a71<\/h2>\n\n\n\n<h3 id=\"toc5\" class=\"wp-block-heading\">Cookie\u306e\u5024\u306b\u3064\u3044\u3066<\/h3>\n\n\n\n<p>\u4e0a\u8a18\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u5f8c\u3001$json\u306e\u5185\u5bb9\u3092\u898b\u308b\u3068\u3053\u3046\u306a\u3063\u3066\u3044\u305f\u3002<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\n&gt; $json;\n= {#6262\n    +&quot;iv&quot;: &quot;EyfRQy2qxaEEE\/3ndezIqw==&quot;,\n    +&quot;value&quot;: &quot;+fKgyKUtByACNkvFSx84CurgKZQTxICqJCStglAAzbZDQ3CEIC65eJIJEKHUXwOny4mw8jpHzoM42acwYO4pQPaELpwBL25oqyd34KgcmowzbJJ4Nw3tlQVGRdbo7OlG&quot;,\n    +&quot;mac&quot;: &quot;2a63feb7922956849b7b235a7d41bebce3b9325579426dd2180434195456513e&quot;,\n    +&quot;tag&quot;: &quot;&quot;,\n  }\n<\/pre><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>iv<br>AES-256-CBC\u3067\u306e\u6697\u53f7\u5316\u5fa9\u53f7\u5316\u3067\u4f7f\u7528\u3059\u308b\u3082\u306e\u3002<\/li>\n\n\n\n<li>value<br>\u6697\u53f7\u5316\u3055\u308c\u305f\u5185\u5bb9\u3002\u300c|\u300d\u306e\u5de6\u5074\u306e\u6587\u5b57\u5217\u306fEncryptCookies->encrypt\u30e1\u30bd\u30c3\u30c9\u5185\u3067\u3001CookieValuePrefix::create\u30e1\u30bd\u30c3\u30c9\u3067\u52a0\u3048\u3089\u308c\u3066\u3044\u308b\u3001Cookie\u540d\u3068\u30ad\u30fc\u3068Cookie\u5024\u306e\u30cf\u30c3\u30b7\u30e5\u306a\u306e\u3067\u6c17\u306b\u3057\u306a\u3044\u3067\u826f\u3044\u3002<\/li>\n\n\n\n<li>mac<br>iv\u3068value\u306e\u5024\u3068\u30ad\u30fc\u3092\u3082\u3068\u306b\u30cf\u30c3\u30b7\u30e5\u5316\u3055\u308c\u305f\u6587\u5b57\u5217\u3002<\/li>\n\n\n\n<li>tag<br>\u672a\u78ba\u8a8d\u3002<\/li>\n<\/ul>\n\n\n\n<h3 id=\"toc6\" class=\"wp-block-heading\">\u518d\u5ea6\u6697\u53f7\u5316\u3057\u305f\u3044\u5834\u5408<\/h3>\n\n\n\n<p>\u78ba\u8a8d\u306e\u305f\u3081\u306b\u518d\u5ea6\u6697\u53f7\u5316\u3057\u305f\u3044\u306a\u3089\u3001\u4e0a\u8a18\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u5f8c\u3001\u6b21\u306e\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u3067\u78ba\u8a8d\u3067\u304d\u308b\u3002<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\n$encrypted = openssl_encrypt($valueDecrypted, &#039;aes-256-cbc&#039;, $keyDecoded, 0, $ivDecoded);\nif (strcmp($encrypted, $json-&gt;value) === 0) printf (&#039;match&#039;);\n<\/pre><\/div>\n\n\n<h3 id=\"toc7\" class=\"wp-block-heading\">mac\u306e\u5024\u306b\u3064\u3044\u3066<\/h3>\n\n\n\n<p>\u6b21\u306e\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308b\u3068\u3001$json->mac\u3068\u540c\u3058\u5024\u304c\u751f\u6210\u3067\u304d\u308b\u3002<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: php; title: ; notranslate\" title=\"\">\nhash_hmac(&#039;sha256&#039;, $json-&gt;iv.$json-&gt;value, base64_decode(substr(config(&#039;app.key&#039;), 7)));\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"<p>\u53c2\u8003\u306b\u3057\u305f\u30da\u30fc\u30b8 \u203b \u3084\u3063\u3066\u308b\u3053\u3068\u306f\u4e0b\u8a18\u30b5\u30a4\u30c8\u3068\u5168\u304f\u540c\u3058\u3002 Laravel \u306e Cookie \u6697\u53f7\u5316\u306e\u4ed5\u7d44\u307f\u3092\u7406\u89e3\u3059\u308b \u74b0\u5883 \u7d50\u8ad6 \u30bb\u30c3\u30b7\u30e7\u30f3ID\u3084CSRF\u30c8\u30fc\u30af\u30f3\u3092\u78ba\u8a8d\u3057\u305f\u3051\u308c\u3070\u3001Chrome\u306e\u30c7\u30d9\u30ed\u30c3\u30d1\u30c4\u30fc\u30eb\u7b49\u3067\u30ec\u30b9 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[96],"tags":[88,81],"class_list":["post-988","post","type-post","status-publish","format-standard","hentry","category-laravel","tag-laravel","tag-php"],"_links":{"self":[{"href":"https:\/\/shinke1987.net\/index.php?rest_route=\/wp\/v2\/posts\/988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/shinke1987.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shinke1987.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shinke1987.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shinke1987.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=988"}],"version-history":[{"count":3,"href":"https:\/\/shinke1987.net\/index.php?rest_route=\/wp\/v2\/posts\/988\/revisions"}],"predecessor-version":[{"id":991,"href":"https:\/\/shinke1987.net\/index.php?rest_route=\/wp\/v2\/posts\/988\/revisions\/991"}],"wp:attachment":[{"href":"https:\/\/shinke1987.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shinke1987.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shinke1987.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}