Description of cookie files and the format of IE cookie files

1. essence of cookie files

Cookies are actually part of the content transmitted between the Web server and the client (typically a browser) during interaction. The content can be arbitrary, but it must be within the allowed length range. The client will save it on the local machine (for example, ie will be saved in a local TXT file), and the client program will manage it. Expired cookies will be automatically deleted. When a client accesses a webpage in a directory in a domain, the valid cookie information that is stored locally and belongs to the corresponding directory under that domain is attached to the header of the webpage request and sent to the server.

2. Cookie file storage location

Different clients have different cookie storage methods and locations. Here we only talk about the location of IE cookie files in windows.

In Windows 2000/XP, cookies are stored in the C:/Documents and Settings/<username>/cookies/directory by default (<username> here is the user name used to log on to the system, enter cookies to open the directory. The naming rule is <username >@< domain>. TXT.

Key words: cookie file name format: the number of times that cookieis changed in the web directory of cookiewebpage file of your user name @20..txt

Different from 2000/XP, in Windows 95/98/Me, cookie files are stored in the C:/Windows/cookies/directory by default.

3. Cookie File Format

IE's cookie file is actually a TXT text file, but the line break is marked as a Unix line break Mark (0x0a). Because notepad is incompatible with the Unix line feed mark, it seems inconvenient to open all the content in one line, we can open it with editplus or UltraEdit-32, and then we will see the following content:
Name
Value
Domain/
1600
1263382784
30020896
452781968
30020892
*
Description of each line:

English description:
Line Summary
1 The variable name
2 The value for the variable
3 The website of the cookie's owner
4 optional flags
5 The most significant integer for expired time, In filetime format
6 The Least Significant integer for expired time, In filetime format
7 The most significant integer for creation time, In filetime format
8 The Least Significant integer for creation time, In filetime format
9 The cookie record delimiter (A * character)

Chinese description:
Cookie variable name in the first line
Cookie variable value of the second line
The third line is the domain to which the cookie variable belongs, such as csdn.net/javasblog.csdn.net/or blog.csdn.net/lixianlin/
Optional flag of the fourth line
The upper integer of the cookie expiration time in filetime format.
Row 6: The low integer of the cookie expiration time (in filetime format)
The seventh line is the high integer of the cookie creation time (filetime format ).
Row 8: The low integer of the cookie creation time (in filetime format)
Line 9 cookie record delimiter (an asterisk *)

In addition, the domain of the cookie variable in the third row, such. It must be noted that.

Attached filetime format definition:
Typedef struct _ filetime {
DWORD dwlowdatetime;
DWORD dwhighdatetime;
} Filetime, * pfiletime, * lpfiletime;

 

1. Cookie file format:

Cookie files are a bunch of TXT files in the cookies directory of the operating system. File Name format:
<User name >@< Domain Name> numeric example .txt
That is, the same domain may have multiple cookie files:
[Email protected1_1_12.16.txt
[Email protected+%2%.txt
[Email protected+%3%.txt
The number in the file name is unknown. In fact, when you browse a webpage, the browser locates a file based on the index. dat in the cookies directory and then finds the corresponding Cookie field value.

The cookie file is in UNIX format and contains only line breaks (0x0a) without carriage return (0x0d ). Fields in each cookie file are separated by "*". Each field contains eight lines of information:

_ Ntes_nnid // field name

456f74e9863f8f4b1a1e37774b0c464d, 0 // Field Value

163. com // The domain to which the field belongs

3584 // flag

3205176064 // expiration time (low)

37425091 // expiration time (high)

2444768976 // creation time (low level)

30082544 // creation time (high)

 

The expiration time and creation time are filetime, which must be converted into hexadecimal format and then combined. The flag marks some security information, such as whether it is HTTPOnly (detailed later.

2. wininet API reads and writes cookies

For non-browser clients that want to read and write cookies, the following functions are available:

Internetgetcookie
Internetsetcookie
Internetgetcookieex
Internetsetcookieex
For more information about the parameter meanings, see msdn. Note the following:

1) The parameter lpszcookiename (Cookie field name) of the above four functions is generally null, rather than passing a field name as described in msdn, otherwise it may fail. When get is used, if null is passed, a file similar to "name1 = value1; name2 = value2 ;... you can parse such a string, but the information such as the flag and expiration time is lost. When set, null is passed. Other information (such as field name, value, and expiration time) is written in lpszcookiedata in a fixed format and passed in:

View plaincopy to clipboardprint?
My_name = my_value; Path =/; expires = Thu, 07-Mar-13 09:15:47 GMT; domain = .sohu.com; HTTPOnly
My_name = my_value; Path =/; expires = Thu, 07-Mar-13 09:15:47 GMT; domain = .sohu.com; HTTPOnly

Note: In the above Code, the time format is "day-month-year hour: minute: second ".

2) during get, if the parameter lpszurl is a level-1 domain name, all level-2 domain names under the domain name and qualified cookies under the subdirectory will be obtained at the same time. If the parameter lpszurl is a 2-level domain name, the cookie that meets the criteria under all subdirectories will be obtained at the same time. Such as http://sohu.com, will get the cookie under the http://bai.sohu.com.

3) Vista and win7, and IE7 or IE8, the IE protection mode is enabled by default. At this time, the cookies read and write by IE are not in the cookies directory, but in the low directory of the cookies directory. The directory from which the client reads the cookie depends on the permissions of the current client process: the normal permission process takes the cookies directory, and the restricted (low) Permission takes the low directory. Taking pinyinup.exe as an example, because the process of the input method is always started with normal permissions, to get the cookie in the low directory, you need to start another process with low permissions and use the sub-process to get it:

View plaincopy to clipboardprint?
{
Handle hprocess = getcurrentprocess ();
Handle htoken = NULL, htokennew = NULL;
Psid plntegritysicl = NULL;
Token_mandatory_label TMl = {0 };
Process_information procinfo = {0 };
Startupinfo = {0 };
Ulong exitcode = 0;

If (! Impersonateself (securityimpersonation )){
Return false;
}
// Specify low permissions:
If (! Convertstringsidtosid (sddl_ml_low, & plntegritysicl )){
Return false;
}
Bool Bres = false;
If (openprocesstoken (hprocess, maximum_allowed, & htoken )){
If (duplicatetokenex (htoken, maximum_allowed, null, securityimpersonation, tokenprimary, & htokennew )){
TMl. Label. Attributes = se_group_integrity | se_group_integrity_enabled;
TMl. Label. Sid = plntegritysicl;
If (settokeninformation (htokennew, tokenintegritylevel, & TML, sizeof (token_mandatory_label) + getlengthsid (plntegritysicl ))){
If (createprocessasuser (htokennew, null, szcmd, null, null, false, 0, null, null, & startupinfo, & procinfo )){
Bres = true;
}
If (bwait ){
Waitforsingleobject (procinfo. hprocess, 10*1000 );
}
}
Closehandle (htokennew );
}
Closehandle (htoken );
}
Return Bres;
}
{
Handle hprocess = getcurrentprocess ();
Handle htoken = NULL, htokennew = NULL;
Psid plntegritysicl = NULL;
Token_mandatory_label TMl = {0 };
Process_information procinfo = {0 };
Startupinfo = {0 };
Ulong exitcode = 0;

If (! Impersonateself (securityimpersonation )){
Return false;
}
// Specify low permissions:
If (! Convertstringsidtosid (sddl_ml_low, & plntegritysicl )){
Return false;
}
Bool Bres = false;
If (openprocesstoken (hprocess, maximum_allowed, & htoken )){
If (duplicatetokenex (htoken, maximum_allowed, null, securityimpersonation, tokenprimary, & htokennew )){
TMl. Label. Attributes = se_group_integrity | se_group_integrity_enabled;
TMl. Label. Sid = plntegritysicl;
If (settokeninformation (htokennew, tokenintegritylevel, & TML, sizeof (token_mandatory_label) + getlengthsid (plntegritysicl ))){
If (createprocessasuser (htokennew, null, szcmd, null, null, false, 0, null, null, & startupinfo, & procinfo )){
Bres = true;
}
If (bwait ){
Waitforsingleobject (procinfo. hprocess, 10*1000 );
}
}
Closehandle (htokennew );
}
Closehandle (htoken );
}
Return Bres;
}

 

4) In IE7 and later, the cookie introduces an attribute HTTPOnly with a value of 0x2000. This flag is a security flag. If a cookie field has this attribute (the flag bit has 0x2000), the web script cannot obtain this field, this field only exists in the HTTP request header. For clients, there are:
In IE6 or IE7 environments: the client cannot obtain the value of this field through internetgetcookie. It can only read the cookie text and then parse it manually (Refer to Part 1: cookie file format ).
In IE8 environment: the client can obtain this field value through internetgetcookieex and the dwflags parameter contains 0x2000.

Description of cookie files and the format of IE cookie files