How to test cookies and sessions?

  • Interview Candidate
  • 2
  • 3878

Showing Answers 1 - 2 of 2 Answers

Kamath

  • May 25th, 2006
 

1. If the Server allows to store cookies in client side, Then one can use mozilla browser to test it.

  Was this answer useful?  Yes

krajasekhar

  • Jun 21st, 2006
 

How to test sites that uses cookies

1. Disabling Cookies

This is probably the easiest area of cookie testing. What happens to the Web site if all cookies are disabled? Start by closing all instances of your browser and deleting all cookies from your PC set by the site under test. The cookie file is kept open by the browser while it?s running, so you must close the browser to delete the cookies. Closing the browser also removes any per-session cookies in memory.

Disable all cookies and attempt to use the site?s major features and functions. Most of the time, you will find that these sites won?t work when cookies are disabled. This isn?t a bug, but rather a fact of life: disabling cookies on a site that requires cookies (of course!) disables the site?s functionality.

With cookies disabled, your testing job is somewhat reduced. Can the user perform any operations on the site? Is it obvious to the Web site user that he must have cookies enabled to use the site? Is the Web server recognizing that its attempts to set cookies are failing? If so, does it send a page to the user stating, in plain language, that cookies must be enabled for the site to work? Or can the user frustratingly attempt the same operation many times in a row without a clue as to why the site isn?t working?

Amazon.com passes this test and then some. I was able to use all major aspects of the site?searching, shopping cart, checkout functions?even though cookies were completely disabled. It appears that state maintenance was being taken care of server-side, based on the session ID at the end of the home page URL. For example, I chose the Yamaha CD-ROM kit on the amazon home page and added it to my shopping cart. The shopping cart page URL was www.amazon.com/?/one-click-thank-you-confirm/107-0357560-1728507. Changing the rightmost digit from 7 to 8, and posting this edited URL, lost my shopping cart and brought up the following error page, lending further support to the probability of server-side state maintenance with a session ID in the URL.

2. Selectively Rejecting Cookies

What happens to the site if some cookies are accepted and others are rejected? Start by deleting all cookies from your PC set by the site under test and set your browser?s cookie option to prompt you whenever a Web site attempts to set a cookie. Exercise the site?s major functions. You will be prompted for each and every cookie the site attempts to set. Accept some and reject others. (Analyze site cookie usage in advance and draw up a test plan detailing what cookies to reject/accept for each function.) How does the site hold up under this selective cookie rejection? As above, does the Web server detect that certain cookies are being rejected and respond with an appropriate message? Or does the site malfunction, crash, corrupt data, or misbehave in other ways?

Let?s strategize a selective cookie rejection test for the amazon.com home page. Each test case will require either accepting or rejecting each of the six cookies, so there are 2^6 = 64 possible test cases. A few of the test cases are enumerated in the following table, proceeding as if counting in binary with "reject" being a 0 value and "accept" being a 1 value.

  test case #

cookie 1
(persistent)

cookie 2
(persistent)

cookie 3
(persistent)

cookie 4
(per session)

cookie 5
(persistent)

cookie 6
(persistent)

1

reject

reject

reject

reject

reject

reject

2

reject

reject

reject

reject

reject

accept

3

reject

reject

reject

reject

accept

reject

4

reject

reject

reject

reject

accept

accept

5

reject

reject

reject

accept

reject

reject

?

 

 

 

 

 

 

64

accept

accept

accept

accept

accept

accept

If I were to run the fourth test case, for example, I would reject the first four cookies every time amazon.com tries to set them, but allow amazon to set the fifth and sixth cookies.

Based on amazon?s performance in the disabling cookies test, I would guess that the site would pass most or nearly all of the selective cookie rejection test cases. The first test case is equivalent to the disabling cookies test performed previously, but I?ll leave it in the table for completeness. I executed test cases 2 and 5, closing the browser and deleting the cookies before starting each test case. Both passed: I was able to use the site?s major functions, as above, without problem. Looks like the site designers ensured that "problems" with cookies would have little or no effect on a customer?s ability to shop at amazon.com.

Note that the test cases above only deal with the cookies being rejected or accepted when amazon.com first tries to create them. We also should test rejecting and accepting cookie modifications. Allow a cookie to initially be set. If/when the Web server attempts to subsequently modify that cookie, what happens if you disallow the change, retaining the "old" value?

3. Corrupting Cookies

Now?s our chance to really abuse the site under test! Exercise the site?s major features. Along the way, as cookies are created and modified, try things like

?         Altering the data in the persistent cookies. Since the per-session cookies are stored only in memory, they aren?t readily accessible for editing.

First example: in the first cookie written by amazon.com, change the name session-id to something different, perhaps ses-id or sexqion-id. Remember, you will have to close the browser to edit the cookies. After editing the cookie, restart the browser and reload/continue using the site. Did the corrupted cookie cause the site to malfunction? Is any data lost or corrupted in the database? If I visit the amazon site, close the browser, restart the browser and go back to amazon.com, my "previous" session is maintained based on the session ID in the cookie. However, if I corrupt the session ID variable name, amazon detects the corruption and recovers by discarding all six of the cookies and recreating them with new values.

Second example: change the session-id value in the data field by adding 1 to the rightmost digit; 102-7224116-8052958 becomes 102-7224116-8052959. Are you now looking at someone else?s shopping session? Anything lost or corrupted in the database?

?         Selectively deleting cookies. Allow the cookie to be written (or modified), perform several more actions on the site, then delete that cookie. Continue using the site. What happens? Is it easy to recover? Any data loss or corrupted?

4. Cookie Encryption

The last cookie test I?ll mention is a simple one. While investigating cookie usage on the site you?re testing, pay particular attention to the meaning of the cookie data. Sensitive information like usernames and passwords should NOT be stored in plain text for all the world to read; this data should be encrypted before it is sent to your computer. I?ve tested many sites where this seemingly obvious rule has been violated. A case can certainly be made that certain types of sensitive data?credit card numbers, for example?should never be stored in cookies, even encrypted.

Based on the amazon.com cookie analysis we performed above, I?d say amazon easily passes the cookie encryption test. No sensitive user or credit card information is stored in plain text.

 Source: stickyminds.com

 

 

  Was this answer useful?  Yes

Give your answer:

If you think the above answer is not correct, Please select a reason and add your answer below.

 

Related Answered Questions

 

Related Open Questions