• info@helpingtesters.com
  • helpingtesters

What is Cookie Testing and How to Perform?

October 27, 2016 Types of Testing
cookie test , cookie testing

By Definition, a cookie is a small text file, which is stored in the computer browser directory or in the program data subfolders. Cookies are referred by an ID Tag. When a browser is used the information regarding the actions are stored in cookies. Information like login details, preferences, customized use of the functions  etc…are stored to track the user’ s visit and movements, so Cookie Testing has emerged as one of the critical testings in software testing.

Cookies Types

  • Session Cookies: The cookies which are created temporarily in the browser subfolder when visiting a website. When the  browser is closed, the cookie will get deleted

  • Persistent Cookies: The persistent cookies will remain in the subfolder even after closing the browser. They will get activated next time when the website is visited. The cookie will remain in the subfolder for the duration which set in the cookie file.

Cookie Attributes

The Purpose of a cookie is securing user identity. The Certain set of attributes is there for securing the user identity.

  • HttpOnly Attribute: This attribute is for securing the cookie from being accessed by the client side. The syntax for creating a cookie: [;=][;secure ][; HttpOnly]
  • Secure Attribute: The purpose of this attribute is to verify that the data is transferring by using encrypted channel only.
  • Domain Attribute: The attribute should be set to ensure that the domain is set to the server which accepts the cookies. This allows avoiding vulnerable servers to receive the cookie.
  • Path Attribute: The path to which the cookie is sent should be specified.Avoid keeping root directory path. Keep some inner folders for security.
  • Max-Age: Specifies the duration of the cookie. 
  • Expires: Set to ensure that after the specified time period the session will not contain any sensitive information

Cookie Testing

Cookie Testing is the process of checking the status of the cookie, the time duration the cookie withstands, the accessibility of the cookie, the information stored in the cookie, the security constraints while making use of cookie etc.. For any websites, it is essential to check how the cookies are managed. And the performance of the website should also be tested when a cookie is removed included in cookie testing. For Website Test Engineers, Cookie testing should be done properly while testing performance and functionality of the websites.

How to Perform Cookie Testing?

Test for Sensitive Information

Primarily check for the writing of the cookie. Testing should be done for making sure that no personal/sensitive data are stored in the cookie. In some cases, if sensitive data are necessary they should be encoded in the encrypted format. Also, for public websites check whether the cookies are overused. The overuse of cookies may lead to less traffic in the website. In Mozilla Firefox, the overuse of cookies can be checked by making some settings in the Tools.

  • Go To’Tools’.
  • Click on ’option’.
  • Go to ‘Privacy’
  • Select  ‘Use Custom setting  for history ’ from the dropdown in the section ‘History’
  • For check box of  ‘Accept third party cookies’ select  “Always”.

When you try to access a website a dialogue box will open to ask you the permission for allowing the cookie to collect personal data. The Dialogue box  will be as given below:

dialog-box

By using Mozilla, Then find the  cookies  and tests for cookie information by the following steps:

  • Go to ‘Tools’ and Click on ‘Options’ in the menu bar.
  • Go To ‘Privacy’
  • Click on the link ‘Remove Individual Cookies’

You can get the list of the recently stored cookies and can get the information by clicking on each cookie.

cookie-testing-1

Test by Disabling Cookie

This test will check the accessibility of the website after disabling the cookie. Can test either by changing the path of cookie to a wrong path or by changing the information to another website’s information. This will help to test the possibility of hacking.

Test by Removing the Cookie

This test will check the reaction of the website after removing the cookie. The removal of the cookie may sometimes affect the performance of the website, may break the links to process further. Sometimes may lead to creating some unexpected cookie which may result in some loss of data.

This test case is essential for the cookie testing of online shopping websites. The payment details should be removed just before the order processing is continued. This deletion of the cookie should not affect the website performance.

Test for the Browser Compatibility

The Browser compatibility of the cookie should be checked.ie. The requirement of creating cookie will be different depending on the browser. This test should be performed by writing cookies for all versions of browsers like IE, Firefox, Netscape, Google Chrome, Opera etc..

Test by changing ID or value in the  Address bar

For maintaining the logging state of users the web applications make use of cookies. Some id may be displaying in the address bar while navigating to the logged in page. Change the id and check whether the system navigates to another page or performs any function. The correct cookie handling will never allow the access to any other account. Should show an error message stating the access is denied.

Test by Editing cookie

If the web application maintains the user login details in a cookie, should ensure that others can never get the information in any cases. Can edit the cookie with some other login details and check whether the system logging into that user account by cookie changes.

The Cookie manager by Google Chrome helps to add, edit, delete, search, protect and block cookies. Install the cookie manager in Chrome and can use by clicking on theEditThisCookie icon at the top of Chrome.

The screen shot below shows the Cookie details. Can make the required changes in Cookie and run. Here, For example,  consider flipkart.com

Domain field:.flipkart.com

cookie-testing-2

Change this domain to.amazon.com

The cookie should not work for the change. It should display an information of error.

Test for Accessibility of Cookies

Cookies created for one website should not be accessible by another website. Can edit the cookie attributes and check whether the cookie is accessible from other websites.

Tools to check the Cookies

To perform cookie testing lot of tools are available.

Cookie Tester

A Cookie Testing tool to check whether the browser rejects a cookie or not.

  • Set the Cookie name and Value
  • Click on ‘Set TestCookie’.

If you have set the browser to reject cookies the cookie should be rejected, else the cookie should be accepted. For the Cookie Testing tool here is the link: http://www.html-kit.com/tools/cookietester/Screenshot of the Tool Cookie Tester

cookie-testing-4

Cookie Checker

Another Cookie Testing tool which can be used for checking the cookies available in a domain. The list of cookies will be displayed as follows: Screen shot of list of cookies in CookieChecker  

cookie-testing-5

Conclusion

The purpose of the cookie is to get back the session of a page quickly while you are searching. So, the cookie testing is important and essential for avoiding security issues. For e-commerce websites, banking sites etc. the cookie should be managed to protect the personal information.

The data should protect in encrypted format and store in the cookie. Make sure all the confidential data are kept encrypted and any unwanted cookies are removed after the usage & passed cookie testing test cases.

About the author

Vaibhav Singhal author

Vaibhav is in software testing since a decade. Worked with different testing techniques along with exploratory testing. Performed different regression, performance, api etc testing with tools and libraries like selenium, jmeter, loadrunner, protractor, rest assured, Katalon Appium and others.

1 Comment

Dany

May 23, 2017 at 5:13 am

Kudos to you! I hadn’t thought of that!

Leave a Reply

Your email address will not be published.