InternetGetCookieEx: not working

Question

I am trying to read an HttpOnly cookie through a WPF, VB.NET application. The site in question, upon visit, serves 2 cookies: one HttpOnly, one regular.

I visit the site whose cookie I want to read via Internet Explorer. Then Developer tools --> Cache --> View cookie information. ONLY the regular cookie is shown there, not the HttpOnly one (Chrome displays both of them correctly. If I delete it and refresh, the site returns a 500 error so the cookie definitely exists).

I run my code, based on what is explained here: c# Get httponly cookie, which is as follows:

Private Const INTERNET_COOKIE_HTTPONLY As Integer = &H2000

<SuppressUnmanagedCodeSecurity, SecurityCritical, DllImport("wininet.dll", EntryPoint:="InternetGetCookieExW", SetLastError:=True, CharSet:=CharSet.Unicode, ExactSpelling:=True)>
Friend Shared Function InternetGetCookieEx(<[In]> Url As String, <[In]> cookieName As String, <Out> cookieData As StringBuilder, <[In], Out> ByRef pchCookieData As UInteger, flags As UInteger, reserved As IntPtr) As Boolean
End Function


<SecurityCritical()>
Public Shared Function GetCookie(url As String) As String
    Dim size As Integer = 0
    Dim sb As New StringBuilder
    If InternetGetCookieEx(url, vbNullString, Nothing, size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero) Then '<-- this always returns false
        If size <= 0 Then
            Return Nothing
        End If
        sb = New StringBuilder(size + 1)
        If Not InternetGetCookieEx(url, vbNullString, sb, size, INTERNET_COOKIE_HTTPONLY, IntPtr.Zero) Then
            Return Nothing
        End If
    End If
    Dim lastErrorCode = Marshal.GetLastWin32Error '<-- 259
    Return sb.ToString()
End Function

GetCookie("https://www.xyz.com")

I have tried numerous variations of the above, the result is the same: lastErrorCode ALWAYS equals to 259, which in turn translates to ERROR_NO_MORE_ITEMS, meaning that no cookies have been found.

1) The site in question is in the trusted sites zone, so it doesn't work under protected mode.

2) The site is under SSL (I do not know if this has to do with anything).

3) I have desperately searched my hard disk for these cookies' location, to no avail.

4) Both are session cookies (ie no declared expiration date)

5) Windows 8 x64, IE10, VS2012

This is a tiny bit of a project milestone which has given me countless hours of pain, so any help will be greatly appreciated.

I am very willing to change my methodology completely as soon as it will give me this cookie's value, unless it's overkill (ie winpcap / fiddlercore etc.)

Answer 1

You're correct to note that your code would only ever work in the Trusted Zone, due to Q10 here: http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx since cookies aren't shared between IE (which runs in Protected Mode or AppContainer) and your application (which runs at Medium IL).

You should pass a valid URL into the function (e.g. you need at least a trailing slash after the hostname); even if an invalid URL works today, it might not in the future.

Also keep in mind that you'll only ever see IE's persistent cookies with this code; Session cookies are isolated per-process, so your application won't see Session cookies from an IE tab.

Answer 2

To all whom it may concern: Eric was absolutely right: Session cookies are in-process, so they are virtually invisible from the outside world.

One possible solution that works is the following: Load the site in a webbrowser control. The code I posted works as expected.