cookies

Testing Cookies in Web Applications

Posted on Posted in Functional Testing, Software Testing, Web Testing

This article is written by Anamika Chowdhury from HCL. She can be contacted at Anamika.chowdhury@hcl.in

A “cookie” is a small piece of information sent by a web server to store on a web browser so it can later be read back from that browser. This is useful for having the browser remember some specific information. These are small data files which act as unique identifiers and allow our site to remember a particular user. Cookies do not harm the computer. Certain areas of our website, such as our forums use cookies. Sometimes user’s personal information is stored in cookies, and if someone hacks the cookie, then the hacker can get access to your personal information. Even corrupted cookies can be read by different domains and lead to security issues. This is why testing of website cookies is very important.

In this white paper, we will focus on basics of cookies world and also how to test the website cookies.

INTRODUCTION

In today’s world, we use websites for numerous activities, like shopping, travel ticket booking. And here comes an important word “cookie” in the picture. Almost, everywhere cookies are used to store the information sent by web servers.

So, we will first focus on what exactly cookies are and how they work. What are cookies?

A cookie is a small piece of information stored in a text file on user’s hard drive by WebServer. This information is later used by the web browser to retrieve information from that machine. A cookie contains personalized user data or information that is used to communicate between different web pages. An example is when a browser stores your passwords and user ids. They are also used to store preferences of start pages, both Microsoft and Netscape use cookies to create personal start pages.

Cookies are nothing but the user’s identity and used to track where the user navigated throughout the Website’s pages.

Why Cookie?

The communication between web browser and the WebServer is stateless. For example, if you are accessing domain http://www.example.com/1.html then the Web browser will simply query to example.com’s Webserver for the page 1.html. Next time if you type page as http://www.example.com/2.html then new request is sent to example.com web server for sending a 2.html page, and the web server doesn’t know anything about to whom the previous page 1.html served.

What if you want the previous history of this user communication with the web server? You need to maintain the user state and interaction between the web browser and web server somewhere. This is where cookie comes into the picture. Cookies serve the purpose of maintaining the user interactions with the web server.

How does cookie work?

To exchange information files on the web, the HTTP protocol is used. There are two types of HTTP protocol: Stateless HTTP and Stateful HTTP protocol.

Stateless system

A stateless system has no record of previous interactions, and each interaction request has to be handled based entirely on the information comes with it. For, e.g., if we enter http://www.example.com/sample.html into our web browser’s address bar and press Enter, then the conversation between the browser and the example.com web server goes like this: Web browser will simply query to example.com web server for the page sample.html.

Once the browser receives the last byte of information using HTTP, the example.com web server essentially forgets about the request data. If now, we send some other request to the web server, it will execute upon the request, without memory of the earlier request. It does not need to remember the earlier request for the response of the new request. This isn’t bad for example.com website; no harm, no foul.
Stateful system

Stateful system

Are there are cases where the state does matter for a web based system? The answer is YES, and here comes the Stateful system. Stateful HTTP protocols do keep some history of previous web browser and web server interactions, and this protocol is used by cookies to maintain the user interactions.

Whenever a user visits the site or page that is using a cookie, a small code inside that HTML page writes a text file on users machine called the cookie. When the user visits the same page or domain later time, this cookie is read from disk and used to identify the second visit of the same user on that domain. The expiration time is set while writing the cookie. This expiration time is decided by the application that is going to use the cookie.

Applications where cookies are used

Online Ordering Systems: An online ordering system could be developed using cookies that would remember what a person wants to buy, this way if a person spends three hours ordering CDs at your site and suddenly has to get off the net they could quit the browser and return weeks or even years later and still have those items in their shopping basket.
Website Tracking: Site tracking can show you places on your website that people go to and then wander off because they don’t have any more interesting links to hit. It can also give you more accurate counts of how many people have been to pages on your site.
Shopping: Cookies are used for maintaining online ordering system. Cookies remember what user wants to buy. What if the user adds some products in their shopping cart and closes the browser window? When next time same user visits the purchase page, he can see all the products he added in the shopping cart in his last visit.
Marketing: Some companies use cookies to display advertisements on user machines. Cookies control these advertisements.
UserIds: Cookies can track user sessions to the particular domain using user ID and password.

The death of a cookie!

When a web server sets a cookie into the system, it optionally gives it a “death” expiration date. When the date reaches, then the cookie gets deleted from the system.

If the web server does not give an expiration date to a cookie, then the cookie is a per-session cookie. Per-session cookies are deleted as soon as you close the current session of the browser. So, if the cookie is not having any death date, then as soon as the browser is closed, the cookie is no longer into your system.

Browser Cookie Settings
Listed below are examples of the steps taken to view your browser’s cookies settings:

Changing cookie settings for Mozilla Firefox 1.5 (Adapted from the Firefox 1.5 integrated help system)

By default, Firefox 1.5 accepts all cookies, including cookies which would allow a site to recognize you effectively forever. If you want to grant sites, you trust the ability to store cookies permanently

Click Exceptions

Enter the site address (In this case it would be americanadoptions.com)

Click Allow.

Changing cookie settings for Internet Explorer 7

Click on the Tools menu and then click Internet Options

Click the Privacy tab, and then click Sites.

Type americanadoptions.com in the Address of the Website field.

Click Allow to always allow cookies from americanadoptions.com

Changing cookie settings for Internet Explorer 6

Click on the Tools menu and then click Internet Options

Click the Privacy tab, and then click Sites.

Type americanadoptions.com in the Address of the Website field.

Click Allow to always allow cookies from americanadoptions.com

Changing cookie settings for Netscape 6

Click Edit Menu

Click Preferences

Select Privacy & Security

Select Cookies

To view your cookie settings on a browser not listed above, refer to your browser’s documentation.

Drawbacks of cookies

Loss of site traffic: Site containing cookie will be completely disabled and can not perform any operation if a user has set browser options to warn before writing any cookie or disabled the cookies completely. And this results in loss of site traffic.
Loads of cookies: If too many cookies are present on every page navigation and the user has turned on the option to warn before writing a cookie, in that case, this could turn away user from the Website, and this could result in loss of site traffic and eventually loss of business.
Valuable hard drive space: Cookies take up valuable hard drive space, so it may be to your advantage to delete a few on occasion, especially third-party cookies. Third-party cookies are placed on your computer by sites you haven’t visited. They usually come from companies who place ads on sites you have visited. Luckily, most browsers give you the option of rejecting only third-party cookies.
Security: Sometimes user’s personal information is stored in cookies, and if someone hacks the cookie then a hacker can get access to your personal information. Even corrupted cookies can be read by different domains and lead to security issues. Some sites may write and store your sensitive information in cookies, which should not be allowed due to privacy concerns.
Cookie Testing

Now when we know the basics of cookie world, let’s address how to test sites that use cookies.

Disabling Cookies

This is probably the easiest way of cookie testing. What happens when all cookies are disabled? Start like this: Close all browsers delete all cookies from PC.

Now, open the website which uses cookies for actions. Now, perform the major functions on the website. Most of the time, these will not work because cookies are disabled. This isn’t a bug: disabling cookies on a site that require cookies disables the site’s functionality.

Is it obvious to the website user that he must have the cookies enables? Web servers are recognizing that attempts are made with disabled cookies, so, does it send a page with a normal message that cookies need to be enabled before working?

There should not be any page crash due to disabling the cookies.

Selectively Rejecting cookies

What happens when some of the cookies are accepted, and some are rejected? If there are ten cookies in the web application then randomly accept some cookies say accept 5 and reject five cookies. For executing this test case, you can set browser options to prompt whenever a cookie is being written to disk, delete all previously saved cookies, close all open browsers and then start the test. Try to access major functionality of a Web site. On the prompt window, you can either accept or reject a cookie. What’s happening: pages are getting crashed, or data is getting corrupted?

Corrupting cookies

This is the test which will test the site! For this, we need to know the cookies the Website is saving and the information that is stored in the text files. Manually edit the cookie in notepad and change the parameters to some vague values. For e.g., change the content of the cookie, change the name of the cookie, and then perform actions on the website. In some cases, corrupted cookies allow reading the data inside it for any other domain. This should not happen in the case of your Website cookies. Note that the cookies written by one domain say rediff.com can’t be accessed by other domain say yahoo.com.

Cookie Encryption

There are websites, where we have no option other than saving sensitive data in the cookie. Here it needs to be tested that the data stored in the cookie is also getting stored in encrypted format.

Deletion of cookies

Access a website and allow it to write a cookie. Now close all the browsers and manually delete the cookies. Again open the same website and try to work on it. Is it crashing?

Sometimes, cookie written by domain say ABC.com may be deleted by same domain but by different page under that domain. This is the common case if you are testing some ‘action tracking’ web portal. Action tracking or purchase tracking is placed on the action web page, and when any action or purchase occurs by the user, the cookie written on disk get deleted to avoid multiple action logging from the same cookie. Check if reaching to your action or purchase page deletes the cookie properly and no more invalid actions or purchase get logged from the same user.

Multi-Browser testing

This is an important case to check if web application page is writing the cookies properly on different browsers and also the Website works properly using these stored cookies.

CONCLUSION

Cookies shouldn’t be put in the same category as the viruses, spam, or spyware that are often created to wreak havoc and chaos on computers. They are mostly benign tools to help you manage your time more efficiently on the Web. Plus, you have totally control over them if you think your secrecy is being violated. Therefore, accept or reject cookies as you want. And the testing should be done properly to check that website is working with different cookie setting. For the demo, Amazon.com is a very good website for good quality cookie usage.

Please follow and like us: