thisago's blog

iecook

Table of Contents

Typos preserved from the original source :) 

nimble install iecook

Below the original post.

Hi again, have you ever needed to get the browser session automatically? Well, now with httpOnly option for cookies, makes harder to do this task, since it aren't available to Javascript read and write.

When developing integrations with some private APIs with reverse engineer, I faced this issue.

One example is my Google Bard batchexecute API implementation ↗ (GitHub) this library uses an session cookie (__Secure-1PSIDTS) that expires after some usage, but since I needed to make it fully automatic, I created iecook.

The first need was get Google session cookies, that's why it was previously called Gookie ↗ (GitHub)

But now, iecook, can get the cookies from any website, just import it: 

import pkg/iecook

And run: 

let allCookies = iecook "https://example.com"

The proc iecook returns to you all cookies of all browser's contexts (containers). And in chrome, since there's no multiple containers like in Firefox, just a default container is returned. 

# Example mocked result as it requires a browser with the userscript installed on it
let allCookies: IeCookList = @[
  ("firefox-container-1", @[
    ("session", "psRXXrIDRCWlfyGnf1RA"),
    ("userId", "5235"),
  ]),
  ("firefox-container-2", @[
    ("session", "2lgScP6s5wMHGzJn3m8J"),
    ("userId", "6784"),
    ("anotherOne", "Hello World! Again")
  ])
]

# Example usage
import std/strformat

for (context, cookies) in allCookies:
  echo fmt"Got {cookies.len} cookies from {context}: '{cookies}'"

Got 2 cookies from firefox-container-1: 'session=psRXXrIDRCWlfyGnf1RA;userId=5235'
Got 3 cookies from firefox-container-2: 'session=2lgScP6s5wMHGzJn3m8J;userId=6784;anotherOne=Hello World! Again'

How it works?

As said before, most of Javascript contexts haven't access to httpOnly cookies, even in a userscript. But extensions can access it.

This library, basically opens a HTTP server that have just two routes. One to provide the requested domain and other to receive the cookies. the extension tries to request the domain all the time, and when server is opened, it retrieve the cookies of all contexts and sends to you.

When server receives the cookies, it closes the server and return it to you.

Should I use this?

This is a workaround, a dirty workaround. In order to this solution works, you need to keep open your web browser with iecook installed and your application will freeze until receive the cookies.

This isn't a solution for production and keep in mind that is potentially dangerous keeping installed the client extension, because a malicious application can request your cookies without your consent.

Project using it

An project that uses iecook to get Cookies is clibard ↗ (GitHub), an Google Bard CLI chat that uses the Google Bard private API

Why iecook as name?

This name is just cookie with the ie moved to start. There's no extra meaning :)

Outro

Thanks for reading, if you want to read more and try by yourself, continue reading at iecook repository ↗ (GitHub).

See the source code here.
Generated at 2025-11-02 Sun 21:38 by Emacs 29.4 (Org mode 9.6.15)