Retrieve a cookie using c++

Hello,
Is it possible to create a cookie using PHP and then retrieve the same cookie using c++ installed on your computer? The cookie's name is known.
A cookie is something stored inside your web-browser, bound to a specific web-site and session.

What kind of C++ program are we talking about here? Is it a "stand-alone" program, or some kind of browser plug-in? If the program is stand-alone, then how does it integrate with the user's web-browser? How does it even "know" which web-browser the user used to access your web-site when the cookie was received ???

(Technically, the web-browser has to store the cookie somewhere on the HDD. But it will be very hard to retrieve, given that there are a zillion of different browsers, and each browser stores the cookies in its own undocumented way, which may even change over time. It's not clear what you really want to do)


Maybe what you want is to create is a browser extension, using the WebExtensions API, rather than writing a "stand-alone" program. But then the technology would be JavaScript and HTML5, not C or C++.

See here for details:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions
Last edited on
http://www.tizag.com/ajaxTutorial/ajaxbrowsersupport.php

<script language="javascript" type="text/javascript">
<!--
//Browser Support Code
function ajaxFunction(){
var ajaxRequest; // The variable that makes Ajax possible!

try{
// Opera 8.0+, Firefox, Safari
ajaxRequest = new XMLHttpRequest();
} catch (e){
// Internet Explorer Browsers
try{
ajaxRequest = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try{
ajaxRequest = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e){
// Something went wrong
alert("Your browser broke!");
return false;
}
}
}
}
//-->
</script>

What I mean is that browsers can be identified, can't C++ do this identification if necessary? And once it is identified (there are not a zillion browsers) as the one with the named cookie, can it read it?
This cookie will have a short life span (10 minutes to one hour) it is highly unlikely that the browser will change the way it stored its cookie.
The c++ is stand-alone.
How do you want to identify the browser?

The web-server to which the browser is talking to may be able to make an educated guess about which browser the user is using, by looking at the "user agent" header. But this is in no way reliable!

Your "stand-alone" C/C++ program, even when running on the same machine as the browser, has no relation to the web-browser. Even if you implement some sophisticated code to figure out which browsers are installed on the local machine, you still don't know which one of the (possibly many) browsers the user has used to access your web-site. You don't even know whether the user has accessed your web-site at all. And even if you knew which browser the user has been using to access your web-site, what exactly have you gained ???

Keep in mind that, much unlike JavaScript code, a C/C++ program does not run "inside" the web-browser! It is a totally separate process that, in and of itself, knows absolutely nothing about the web-browser 🙄

________

Things would be different if your C/C++ program actually would "embed" a full browser-engine (e.g. Blink), which would make it possible to start your "own" browser that you can control as needed...
Last edited on
I have a website, I want to sell a program (which is not in c++). Initially, when a buyer made a payment I wanted a code to be generated that was saved in a MySQL database. The buyer would receive an email with the code and then copy it into a small c++ program that would compare it to the code from the email in the database.
I am working in VC++ but I couldn't find the MySQL extension under assemblies. Although I added an extension now I can connect to SQL but not MySQL. So I decided I would try with cookies. The user would receive the code found in the cookie by email and then c++ would compare the two. If the two are the same the program would be automatically downloaded.
Last edited on
I have a website, I want to sell a program (which is not in c++). Initially, when a buyer made a payment I wanted a code to be generated that was saved in a MySQL database. The buyer would receive an email with the code and then copy it into a small c++ program that would compare it to the code from the email in the database.


Why would you want the program that is running on the end-users machine to connect to your (private) MySQL server where you store the payment information? Your MySQL server should be strongly shielded from the public Internet! And it should only be accessible as back-end from your own web-server!

Never ever give some "untrusted" clients the credentials to directly access your private database-server! 😨

If you need the program that is running on the end-users machine to check the given license key with your server, then your web-server should provide an API, e.g. REST-based, for that purpose, so that the client application can call the API from the users machine, using simple HTTPS. No need to expose your database server to the public Internet! No need to have any database code in the client program...

BTW: The term "assembly" is used with .NET applications and libraries, not "native" C/C++ code!
Last edited on
I am trying to use cookies at the moment. I have been using databases for over 10 years and I know how to protect the data.
Is anybody else reading these messages?
Last edited on
I am trying to use cookies at the moment. I have been using databases for over 10 years and I know how to protect the data.

Just because you are familiar with a certain tool, it does not mean that it is the right tool for everything.

From all that you have explained thus far about your goal - verify the given license key in a "native" C/C++ program that is running on the customer's machine - better forget about using browser cookies!

Also, never allow clients from the Internet to directly access your DB server that contains payment data.

Build a proper, e.g. RESTful, API into your web-server that the client's can query as needed....
Last edited on
Is anybody else reading this message?


Yes - but I can't help in this case.
Last edited on
The answer is that cookies are usually a disk file, as noted above, so yes, c++ can open and read them. However, that is just a pie in the sky excuse of an answer: also as noted above, the c++ program has to know where the file is to be able to look at it. Believe it or not, most people here are trying to help, but you are trying to do everything inverted here.
remember, c++ is compiled. so right off you have to install the c++ program that is compiled for the operating system the user has (mac, unix, win, phone, other?) or detect that they are on an invalid system and deny them the installer program and prevent letting them buy something they can't use. This is not to mention people that clean cookies after each session or block cookies and so on, or people using way off the mainstream browsers (there are a fair number out there).

I think you are being told that your approach is not going to work well. Yes, c++ can technically do all this, you can even search the whole disk for the file if it isnt in a few default locations (and many people have several disks...) but even so, it seems like a high risk and abnormal way to do what you want. This is way out of my league, so I don't have much more to offer beyond that it is technically possible and yet not a great idea.

Sorry, but I am having a monty python moment here this isnt aimed at you so much as comic relief, so take it as a joke ... "is there anyone else we could talk to" ... "no! now go away or we shall taunt you a second time"

I think you are being told that your approach is not going to work well. Yes, c++ can technically do all this, you can even search the whole disk for the file if it isnt in a few default locations (and many people have several disks...) but even so, it seems like a high risk and abnormal way to do what you want. This is way out of my league, so I don't have much more to offer beyond that it is technically possible and yet not a great idea.


...that, plus: Even if you manage to find the file where web-browser xyz stores its cookies, you can not expect this to be a simple plain-text file. For reasons of performance as well as reasons of security, this probably will be something like an SQLite or BerkeleyDB database file, possible encrypted and/or obfuscated. The "cookie db" file format certainly is internal to the the browser, not standardized and may change at any time.
Last edited on
Is it possible to create a cookie using PHP and then retrieve the same cookie using c++ installed on your computer?
You can send a [rest] request to server with c++ the same way the browser would do. The php script could answer with the content of the cookie which is plain text.

The question would be: How to identify the client? I.e. you need the relation to the client. The request client IP-address could be such an identifier.

Take a look at boost for how to communicate with a server:

https://www.boost.org/doc/libs/1_78_0/libs/beast/doc/html/index.html
You can send a [rest] request to server with c++ the same way the browser would do. The php script could answer with the content of the cookie which is plain text.

I think in this scenario it should be done the other way around: Send an "authorization token" (I won't call it "cookie" to avoid confusion) via REST/HTTP request to server and let the server check (in it's database) the validity. If the server answers "positive" the application is allowed to run, otherwise it will exit with error.

Of course, the connection must be protected by HTTPS, and the server's TLS certificate should be pinned in the client program, so that a "malicious" customer cannot trivially redirect the request to a bogus server that always responds "positive" for all requests without actually checking the authorization token 😏

Another great client-side HTTP(S) library is libcurl:
https://curl.se/libcurl/c/https.html

(The server-side part of the REST-API could probably written with a bunch of lines PHP code)

The question would be: How to identify the client? I.e. you need the relation to the client. The request client IP-address could be such an identifier.

An IP address is neither specific to a single user (because of NAT, any number of users could be hiding behind a single "public" IP address), nor is the IP address of a certain user always fixed. Most users use a "dial-up" connection that changes its IP address at least every 24 hours. IP address is not a good identifier.

Better send an "authorization token" along with the REST/HTTP request, either as query-string parameter or as a custom request header (e.g. "X-Auth-Token" header). The "authorization token" could be computed from the customer's license key, e.g. via SHA-256 hash function or via HMAC-SHA256 and some "secret" key.
Last edited on
@kigar64551

You are certainly right. Security is important. But this can be done in a second step. As far as I know boost/beast has https.

But at first i would think that OP may send the name of the cookie and receive the content.

Once it is done further security should be considered....
Topic archived. No new replies allowed.