1

While working on an Electron application I realised that the auth token that I store in a cookie isn't stored in the 'Cookie' file in its cache files, which reside at the path specified here in this post How to clear the cache data in Electron(atom shell)?.

Since I don't know the internals of how Electron or Chromium work I was hoping someone would help me answer the following questions:

  1. Does Electron store the cookies from the "mainWindow"* in the memory or in a file on the hard drive? If it does store it on the hard drive where and in which file exactly? (I need this info to evaluate a security issue)
  2. It would also be nice to know if the cookie stored by electron which uses Chromium is encrypted in some way.

*What i mean by mainWindow is when I open my web-application inside a window via electron code and then allow a user to log in. I need to know where that cookie that is stored after log in, is stored.

If anyone has any information regarding this do let me know.

Craig
  • 620
  • 6
  • 15
  • The path will vary depending on the platform or OS – Asesh Mar 13 '20 at 15:55
  • @Asesh Do you know exactly which file stores the cookies and are the cookies encrypted so that they can't be easily read? A path for any of the major OS's will do. – Craig Mar 13 '20 at 17:43

2 Answers2

3

Does Electron store the cookies from the "mainWindow"* in the memory or in a file on the hard drive? If it does store it on the hard drive where and in which file exactly? (I need this info to evaluate a security issue)

In Electron, Cookies are stored on a per-session basis.

Let's say you're using your BrowserWindow's WebContents session to set a cookie like so:

const { BrowserWindow } = require('electron')

let win = new BrowserWindow({ width: 800, height: 600 })
win.loadURL('http://github.com')

const ses = win.webContents.session
const cookie = { url: 'http://www.github.com', name: 'dummy_name', value: 'dummy' }
await ses.cookies.set(cookie);

Your cookies should be available under your user data path, which you can access via the app.getPath('userData') API.

Note that the subdirectory depends on which session you're using. For instance, if you're using the session.fromPartition('persist:your-part-name) API, you'll need to navigate to the Partitions/your-part-name folder.

It would also be nice to know if the cookie stored by electron which uses Chromium is encrypted in some way.

Cookies in Chromium are indeed encrypted (see changelist). Electron uses Chromium's implementation.

Erick
  • 1,138
  • 8
  • 15
  • Hi. Umm I'm familiar with the Electron cookies api and I am also aware of the 'Cookies' file in the userData folder. However when I opened the file with an sqlite db viewer I didn't see my currently logged in user's cookie stored in that file. And hence was wondering where could Electron have stored it then? or does it not store cookies that expire when the app closes? I need to basically know where my cookie is being stored and if it is stored securely using a technique like encryption or is it stored in plain text for everyone to see. – Craig Mar 14 '20 at 16:15
  • Electron uses Chromium's implementation of cookies behind the scenes, and I believe Chromium has [encrypted its cookies](https://codereview.chromium.org/24734007) for a while now. I think you're on the right file, and it does make sense that SQLite can't read the `Cookies` file directly because it's encrypted. – Erick Mar 14 '20 at 20:50
  • Thanks for the response Erik. The link definitely helps, though just wanted to point out that I actually can view the Cookies file via a SQLite viewer. I see cookie of other websites I've opened via electron but not the Auth cookie we use for the user's session. I'm guessing electron doesn't store cookies created via Http headers but stores cookies of secondary links opened within electron? But its just a guess still. – Craig Mar 16 '20 at 10:52
0

I am loading an external webpage and the configuration below worked for me. By default the webpage is configured to use "session cookie" and thats why I change it to "persistent cookie" with expiration date of 2 weeks:

// Modules to control application life and create native browser window
const {app, BrowserWindow} = require('electron')
const path = require('path')
const util = require('util')

function createWindow () {
  // Create the browser window.
  const mainWindow = new BrowserWindow({
    width: 700,
    height: 500,
    webPreferences: {
      preload: path.join(__dirname, 'preload.js'),
      partition: 'persist:infragistics'
    },
    icon: __dirname + '/assets/favicon.ico',
    show:false
  })



  let cookies = mainWindow.webContents.session.cookies;
  cookies.on('changed', function(event, cookie, cause, removed) {
    if (cookie.session && !removed) {
      let url = util.format('%s://%s%s', (!cookie.httpOnly && cookie.secure) ? 'https' : 'http', cookie.domain, cookie.path);
      console.log('url', url);
      cookies.set({
        url: url,
        name: cookie.name,
        value: cookie.value,
        domain: cookie.domain,
        path: cookie.path,
        secure: cookie.secure,
        httpOnly: cookie.httpOnly,
        expirationDate: new Date().setDate(new Date().getDate() + 14)
      }, function(err) {
        if (err) {
          log.error('Error trying to persist cookie', err, cookie);
        }
      });
    }
  });

Note: Its important to ensure that you've set the "partition" webPreferences property as well.

A String that sets the session used by the page. If partition starts with persist:, the page will use a persistent session available to all pages in the app with the same partition. if there is no persist: prefix, the page will use an in-memory session

You can check if the cookie is set from your Chrome application section:

enter image description here

Origin source.

Zdravko Kolev
  • 1,569
  • 14
  • 20