chrome-cookies
Parses the Chrome browser's Cookies SQLite database file and retrieves the cookie list. The command converts cookie creation time, host key, name, expiration time, security attributes, and other data into structured fields.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the cookie file. Use this option to query a cookie file inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries. Default:
utf-8
Target
FILE_PATH- Path to the Chrome browser's
CookiesSQLite file. Use a wildcard (*) to specify multiple files. The cookie file for Chrome version 96 or later is typically located atC:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Cookie creation time. Same value as the created field |
host_key | string | Host key that set the cookie |
top_frame_site_key | string | Site key of the top-level frame |
name | string | Cookie name |
value | string | Cookie value. Returns null when the value is an empty string, as recent Chrome versions use encrypted_value |
encrypted_value | string | Encrypted cookie value |
path | string | Cookie path scope |
expires | timestamp | Cookie expiration time |
priority | long | Cookie priority. Lower values are deleted first when disk space is insufficient |
is_secure | long | Secure cookie flag. 1: transmitted over HTTPS only, 0: no restriction |
is_httponly | long | HttpOnly cookie flag. 1: not accessible via JavaScript API, 0: accessible |
has_expires | long | Expiration date flag. 1: has expiration date, 0: session cookie |
is_persistent | long | Persistent cookie flag. 1: persists after browser closes, 0: deleted when session ends |
is_same_party | long | Same-party cookie flag. 1: first-party cookie, 0: third-party cookie |
samesite | long | SameSite attribute. -1: unspecified, 0: no_restriction, 1: lax, 2: strict |
source_scheme | long | Origin scheme where the cookie was set. 1: HTTP, 2: HTTPS |
source_port | long | Origin port number where the cookie was set |
created | timestamp | Cookie creation time |
updated | timestamp | Cookie modification time |
last_access | timestamp | Most recent access time of the cookie |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot load chrome cookies database: path | Unable to read the Cookies file at the specified path | Query aborted |
Description
The chrome-cookies command reads the cookies table from the Chrome browser's Cookies SQLite database file and converts each cookie record into structured fields.
Date fields (created, updated, expires, last_access) are converted from Chrome's internal WebKit timestamp (in microseconds) to a timestamp type. A timestamp value of 0 returns null.
String fields (host_key, name, value, etc.) return null when the value is an empty string.
To query a cookie file inside a ZIP archive, specify the ZIP file path in the zippath option and the path inside the ZIP as the target.
Examples
-
Querying Chrome cookies
chrome-cookies /opt/logpresso/evidence/CookiesRetrieves all cookie records from the
Cookiesfile at the specified path. -
Querying cookies from multiple profiles with a wildcard
chrome-cookies /opt/logpresso/evidence/*/CookiesQueries cookie files from multiple profile directories at once.
-
Querying a cookie file inside a ZIP archive
chrome-cookies zippath=/opt/logpresso/evidence/artifacts.zip Network/CookiesRetrieves cookie records from the
Network/Cookiesfile inside a ZIP archive. -
Filtering cookies from a specific host
chrome-cookies /opt/logpresso/evidence/Cookies | search host_key == ".example.com"Filters cookies set by a specific host.