Website - Testing Cookies

Website Cookies - Testing
Abhilash Gopi
Dated : 6th Mar., 2008.


Cookies
- Most web applications generate a cookie.
- Cookie- also referred to as the HTTP Cookie.
- Are parcels of text sent by a server to a web browser and are sent back unchanged by the browser each time it accesses the server.


Why are cookies used?
- Used for authenticating, tracking, and maintaining specific information about users. (typically site preference).
- It was first associated with the Unix computing and was called “magic cookie”.


The flip side- There are a lot of concerns as regards cookies.
- It has been the subject of debate for “Internet Privacy”.
- A hacker could create an application with cookies designed to know more about the user’s browsing behavior.


Other concerns- Most modern browsers allow users to decide whether to accept cookies.
- In this case, a rejection may render a site useless (e.g. a shopping site).


What are we gonna discuss?
- What exactly are cookies?
- How they work?
- How to test cookies?


What is cookie?
- A small information stored in text format on the user’s hard disk by the web server.
- This information is later used by the web browser to retrieve information from that machine.

Why cookies are used?
- Cookies are basically the user’s identify and are used to track where the user navigated throughout the web site pages.


How cookies work?

- The HTTP protocol used to exchange information files on the web is used to maintain the cookies.
- Two types of HTTP protocol
• Stateless HTTP
• Stateful HTTP



Stateless HTTP- Does not keep any record of previously accessed web page history.

Persistent Cookie- Have an expiration date and lie on the machine until expiry.

Non-persistent cookies- Stored in the web browser’s memory and is destroyed on closing the browser.


Stateful HTTP- Does keep some history of previous web browser and web server interactions and is used by cookie to maintain the user interactions.



Cookie Format- Whenever user visits a site or page that is using a cookie, small code inside the HTML page writes a text file on the user’s machine called cookie.


- E.g
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME;
Cookie Format
- Set-Cookie: Password=D3Br0y3Utr3; expires=DATE+50; path=\; domain=eShopping;


Revise (Cookie identify)
- Name
- Expires
- Path
- domain


Where are cookies stored?
- When any web application writes cookie, it gets saved in a text file on the users disk drive.
- The path where the cookies get stored depends on the browser.


Where are cookies stored?
- IE stores cookies in
C:\Documents and Settings\Default User\Cookies

Or
C:\Documents and Settings\Default user\Local Settings\Temporary Internet Files

Applications implementing cookie
- Shopping cart sites
• Cookies track what the user wants to buy.

- Personalized sites
• When user visits certain pages they are asked which pages they don’t want to visit. User options are stored in cookie until the time the user logs out.

Applications implementing cookie
- User Tracking
• To track number of unique visitors online
- Marketing
• Cookies can be used to display advertisements on user machines. Cookies control these advertisements. The type of advertisement is generated by the cookie.
- User sessions
• Cookies can track user sessions to particular domain using user ID and password.


Test a Cookie
- To devise test cases for testing a cookie, ensure the following
• As a cookie privacy policy make sure that no personal or sensitive data is stored in the cookie.
• If sensitive data do need to be saved in cookie, ensure that the cookie is saved in encrypted format.
• Ensure no overuse of cookies on the site exists.
• Disable the cookies from the browser settings. Ensure that the site works without any exception. See if appropriate messages to enable the cookie are visible. (In this case, you will need to close all browsers, delete all cookies before performing the test)
• Accept/ reject some cookies
• Set browser option to prompt whenever a cookie is being written. Check for major functionality for all combination of cookie enable/ disable.
• Delete cookie
• Allow site to write the cookies and then close all browsers, manually delete the cookie and check behavior of the pages.
• Corrupt the cookies.
• Manually edit the cookies and change the parameters to some vague values.
• In some cases, the cookie refers to some other site.
• Checking deletion of cookies from the web application.
• Sometimes a cookie that is created by a domain will be deleted by same domain
• In case of site implementing action tracking, the cookie should get deleted (e.g. purchasing)
• Testing cookie on multiple browsers
• Test for same user on multiple browsers on different machines
• Test on different browser environments
• IE, FireFox, Netscape, Opera etc.
• Change the querystring for logged in user and verify if access is provided.


Suggestions as a Tester
=>
Suggestions you can provide
- The security measure suggestions you can provide:
• Use non-persistent cookies instead of persistent cookies.
• If you must use persistent cookies, then specify a short duration for the cookie's life. The longer the time until cookie expiration, the larger the risk.


Security Suggestions
• Use the secure tag, so that the cookie is sent only if a secure channel (https) is being used.
• Encrypt the information in the cookies. Some web sites split one cookie into many cookies that are further encrypted.
• Avoid application features that use persistent cookies to store privacy-related information. Example: Sites that say “Please check to remember user name and password.”