the way of storing cookie for SAFARI has changed whith SAFARI 5.1 and that they add a kind of integrity control code in the last 8 bytes of the file :
The file is %APPDATA%\Apple Computer\Safari\Cookies\Cookies.binarycookies
Does anybody know what s the last 8 bytes corresponds to ?
CRC32 check ?
Please help
Cookie.binarycookies:
I think this will be helpful. I reversed engineer the file with an hex-editor and start changing the cookies.
The file is composed of several pages, each one can have one or more cookies inside. Each page has a header, which is variable, 0x10, 0x14 and 0x1c are common values we can see.
The file start with an 4 bytes header that is of no interest.
The next 4 bytes are of real interest because they indicate the number of pages there are in the file.
Then we have the length of each page, also represented by an 4 byte number. It's important to know that all these numbers are written in big-endian. So, we have 4*number of pages of bytes and then the pages.
We have 8 bytes at the end which also are of no interest.
Each page has a header whose length can change from one page to another. To know the length of the header, we must discard the first five bytes and the next 4 bytes will indicate the length of the header.
Following the header we will have the length of the cookie represented by 4 bytes, ordered in little-endian! This length also includes the 4 bytes needed for representing the length.
When this cookie ends another will start and so on to the end of the page.
The date of each cookies starts at 0x2B. The date is composed by 4 bytes ordered in little-endian. The date is represented in seconds but not since epoch so we need to subtract this number: 1706047360. (It only works for until some day in 2017)
The next field of interest starts from 0x38. This fields are dynamic fields so they are separated by an NULL “0x00” byte and are in this order: name, value, url, path.
http://i52.tinypic.com/2qcqix2.jpg
The length of the entire cookie will be 0x82. Next to this cookie will start another one in exactly the same format if corresponds with the page length.
This isn't going to answer your question exactly, but hopefully it gets to the heart of what you're trying to do.
You can read the contents of the binary cookie file located at ~/Library/Cookies/Cookies.binarycookies using the NSHTTPCookieStorage class, as shown in the following snippet:
NSHTTPCookieStorage *cookieStorage = [NSHTTPCookieStorage sharedHTTPCookieStorage];
for (NSHTTPCookie *c in [cookieStorage cookies])
{
NSLog(@"%@", c);
}
I've written a MacRuby script to do what you're looking for:
https://gist.github.com/1385008
#!/usr/bin/env macruby
require 'csv'
framework 'Foundation'
CSV_Headers = %w[domain path expiresDate name value].to_csv
class NSHTTPCookie
def to_csv
[domain, path, expiresDate, name, value].to_csv
end
end
store = NSHTTPCookieStorage.sharedHTTPCookieStorage
cookies = store.cookies
raw_csv = cookies.map(&:to_csv)
puts CSV_Headers
puts raw_csv.join
You need to install MacRuby, but then this will print out your cookies in a CSV format. It can easily be made to be cookies.txt compatible, as well.
I wrote a parser for Swift that can do this for you. I needed this because NSHTTPCookieStorage.sharedHTTPCookieStorage() doesn't give you access to the global cookies when sandboxed.
https://github.com/icodeforlove/BinaryCookies.swift
You can use it like this
BinaryCookies.parse(NSHomeDirectory() + "/Library/Cookies/Cookies.binarycookies", callback: {
(error:BinaryCookiesError?, cookies) in
if let cookies = cookies {
print(cookies);
} else {
print(error);
}
});
Currently there are a few projects that can do this in other languages as well:
I just got a list of urls from:
$ strings Cookies.binarycookies | grep '^A\.' | uniq
