Dealing with Vista’s Low Cookies

Vista with Internet Explorer 7 introduced a new security level called protected mode. Among other things, this mode stores cookies in a separate cache, which is inaccessible to normal mode processes. This "feature" caused me a bit of a problem with a Windows application I support.

Users download this application from a web site. When the application runs, it makes additional requests to the web site. The web site keeps track of these requests with cookies. The problem is that a typical user with default settings is going to hit the download in protected mode, thus leaving the cookie in the low integrity cache. But, the application runs in normal mode, so when it makes requests to the web site, the web site is unable to read the original cookie it left. There is no way for the normal mode application to get at this quarantined cookie. No easy way at least.

I should point out that this app is using automation to open Internet Explorer and download additional content. Even though it’s accessing the same web site, because the app is running in normal mode, the site is now accessed in normal mode as well. If you’re downloading files using wininet, you’ll get the same result. Web site sees the normal cache and can’t get the cookie it left the first time.

The solution I came up with is to run a low integrity process to read the cookie from the low cache and write it to a place where the application can read it, and then save it as a normal cookie. For the low integrity process, I run another copy of the application so there’s no extra baggage; it’s all self contained.

Step by step, here is the process:

1. Check if we’re running on Vista. You could also check if the browser is in protected mode, but finding or not finding the cookie is pretty much the same.

2. Run a new copy of the app in low integrity mode (you could have a separate app for this). What I do is pass a command line parameter to tell the app it needs to find the low cookie. Basically just get the filename for the current process using GetModuleFileName and use this sample code to start the new process.

Also note that since this app needs to run on all versions of windows, entry points to new Vista functions need to be dynamically loaded.

In the command line, I also pass the location where the cookie is to be written. You’ll need a location that both low and normal processes can access. Luckily Microsoft does provide such a thing. You can call SHGetKnownFolderPath with FOLDERID_LocalAppDataLow to get a folder that both processes can read and write.

3. When the low integrity process runs, it uses InternetGetCookie to read the cookie from the low cache. Because the process is low integrity, it automatically reads from the low cache.

Reading cookies in a C++ app is not as simple as you would think. I could make another post on that. In short, what you get back from InternetGetCookie is a string with all cookies for a given url separated by semicolons. Each cookie in the string is in the format name=data. So I ended up with some convoluted parsing routines. Well, maybe your cookies are written differently, but this is what I had to deal with. Anyway…

4. After finding the right cookie, the low integrity process writes it to a text file.

5. The main process, after waiting for the low process to finish, reads back the cookie data and uses InternetSetCookie to write the cookie to the normal cache. One caveat I found is that you have to append an expiration to the cookie string:

"; expires = Fri, 01-Jan-2038 00:00:00 GMT"

And that’s it. Now the web site can read the cookie it left on the initial download. Pretty big hoop for a basic operation that used to work all by itself for years. Thanks Microsoft!

2 thoughts on “Dealing with Vista’s Low Cookies

  1. Bob Zhong

    hi, Bill Zitomer
    Thanks for you article, it’s very useful to me. But There have a problem. I write the code to run low integrity mode from msdn in step 2, and the structure TOKEN_MANDATORY_LABEL is undeclare identify. I include the header of windows.h. But it seems no use. Hope you can give me same advice. Thank you! waitting for you respones.

Leave a Reply

Your email address will not be published. Required fields are marked *