Restore session cookies from google chrome userdir (>=20)

Question

There is a feature (or bug - see Chrome doesn't delete session cookies question - likely issue 128513) in Chrome 20 (or chrome 19). There is an option "Clear cookies and other site and plug-in data when I close my browser" - disabled; and "continue where I left of" - enabled. With such settings Chrome will save session cookies (which are marked to be deleted when browser closes) even after closing a browser. Even https (secure) cookies will be saved.

(And I double-checked that Chrome was closed and there was no any running Chrome here)

So, the question:

How Chrome saves such session-only cookies in UserDir (in the direcory of all user settings, it is like firefox's Profiles)? Let's assume that chrome is closed and we have full access to UserDir and registry.

Where cookies are stored? Are they in SQLite or in other ondisk format? Are they crypted or not?

Answer 1

Hmm, there seems to be "Cookies" file in UserDir of Chrome:

Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default

Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

This file is in SQLite database (can be opened by many tools, for example sqlitebrowser.org/). There is table "cookies" with (at april 2015, M42 version in stable):

INTEGER creation_utc
TEXT host_key
TEXT name
TEXT value
TEXT path
INTEGER expires_utc
INTEGER secure
INTEGER httponly
INTEGER last_access_utc
INTEGER has_expires
INTEGER persistent
INTEGER priority
BLOB encrypted_value

"value" text field of many recent cookies is empty; cookie value is stored in encrypted_value BLOB (I think, there was switch to encrypted storage of cookies some time ago - commited in February 2014, issue 313323 - older cookies are stored unencrypted, even secure ones). Session cookies are in the file too.

Encryption is enabled for (MAC) OS X and Windows:

Encrypt all stored cookies on selected operating systems.

As part of the goal of protecting private user information, this encrypts the cookie values on operating systems with user-specific crypto APIs and that do not otherwise protect this data.

Performance tests indicate a penalty of about 1ms per cookie (regardless of size) on a Mac and 0.1ms to 0.7ms (depending on the size) under Windows. This will be higher on older hardware but still insignificant.

Encrypted data is binary (with an overhead of 128 bytes on Windows) and binary data must be stored in a BLOB so only one of two fields ("value" or "encrypted_value") will have data with the other being empty. Both values, however, need to be read & written when accessing a cookie because they are marked "non null").

There are several decryption tools on overflow: * For Windows: Encrypted cookies in Chrome * For Linux and OS X: Decrypt Chrome Linux BLOB encrypted cookies in Python; Decrypting Chromium cookies

There is also "Current Session" file, protected when Chrome is running with 0x534e5353 0x01 (SNSS\0x01) magic. Some info about format is here: https://github.com/JRBANCEL/Chromagnon/wiki/Reverse-Engineering-SNSS-Format (source - chrome/browser/sessions/session_command.h)