I am trying to simulate google+ button.In Somepart of code at LINK,It converts the session id into Some kinda hash.What i found is session id name is SAPISID and the converted h
VICTORY! Well for me at least =p the SAPISIDHASH I was looking for was the one in the api console. Automation for rather large job, totally legitimate.
Anyways -> the one I found was a SHA1 on the current javascript milliseconds timestamp plus your current SAPISID from your cookie plus the domain origin
In order for my request to work I had to include the following headers in the request
Authorization:SAPISIDHASH 1439879298823_
and
X-Origin:https://console.developers.google.com
The first header I assume tells the server your timestamp and your sha1 value. The second ( breaks if you don't include it ) tells it the origin to use in the sha1 algorithm.
I found the algorithm by digging through and debugging the hell out of tons of minified js NOTE there are spaces appended between the values
The psuedo code is basiclly >
sha1(new Date().getTime() + " " + SAPISID + " " + origin)
That is at least how I got my SAPISIDHASH value in my use case here in 2015 ( few years later I know )... different from yours but maybe I will help some other young good hacker out there one day