How to Test Cookies in a Stateful Web System

[article]

are deleted when you close your Web browser; they only exist for the single Web surfing session beginning when you start the browser and ending when you close the browser.

Cookie Usage by Amazon.com
Let's make the cookie concepts we've discussed more concrete by examining how amazon.com uses cookies. In doing so, we will also encounter a common problem in "cookie testing"-figuring out what the hieroglyphic-like information in the cookie means! We'll navigate through the site to discover where cookies are employed.

To start, I deleted all Netscape cookies from my PC and set the cookie option to prompt me whenever the Web site sets a cookie. Next, I navigated to www.amazon.com.

We get a prompt indicating that the site wants to set a "session-id" cookie. I then open Netscape's cookies.txt file and copy/paste the cookie details into a "cookie log" with my observations for later analysis. A word of warning: some sites are highly active with cookies, setting or modifying them on every page you visit. Creating the cookie log on these types of sites will be time consuming and drive you to a certain level of insanity. Getting as much info as possible in advance about cookie activity from the developers is your best bet in this situation.

So we record the following data for the first cookie.

.amazon.com TRUE / FALSE 994320128 session-id 102-7224116-8052958

The prompt that Netscape presented me with indicated the cookie will expire on Thursday July 5, 2001, one week from my visit. (We'll explore the details in the next two sections.)

The second cookie set by amazon contained the following data and also expires
on 7/5/2001.

.amazon.com TRUE / FALSE 994320181 session-id-time 994320000

Amazon's third cookie contained the following and expires on 1/1/2036. Since my laptop will be reduced to either paperweight or landfill status by then, this is pretty much a "permanent cookie" relative to the useful life of my laptop.

.amazon.com TRUE / FALSE 2082787330 ubid-main 077-4356846-2652328

The fourth cookie is a per-session cookie, since the Netscape prompt did not include an expiration date. Since per-session cookies aren't written to the hard drive, examining the cookie content can be done only through the actual Netscape prompt.

Figure 3

FIGURE 3 Per-session cookie

The fifth cookie expires on 1/1/2036 and contained the following data.

.amazon.com TRUE / FALSE 2082787787 x-main hQFiIxHUFj8mCscT@Yb5Z7xsVsOFQjBf

After accepting this fifth cookie, the amazon.com home page (finally!) displayed. The URL of the home page was http://www.amazon.com/exec/obidos/subst/home/home.html/102-7224116-8052958.

Have we seen that number sequence at the end of the URL before? Yes, it's the session ID stored in the first cookie.

A sixth cookie containing the following data and expiring on 6/29/2001 was then set.

http://www.amazon.com/ FALSE / FALSE 993797034 seenpop 1

Upon accepting this cookie, a secondary browser window popped up with a free shipping promotion notice. A logical guess at this cookie's purpose, then, would be that it tracks whether or not you've seen the promotion popup ad.

After all of these cookies were set, my Netscape cookies.txt file looked like this:

Figure 4

FIGURE 4 Cookie file

Why are there are only five cookies in the file? The per-session cookie is kept in memory only; it is not written to the cookies.txt file.

So What's Inside a Cookie?
Before we attempt to analyze all of the cookies set by amazon.com, let's take a quick look at cookie structure and the meaning of cookie data.

The first cookie set by amazon was:

.amazon.com TRUE / FALSE 994320128 session-id 102-7224116-8052958

Using the information at www.cookiecentral.com, I'll break the cookie down into its individual fields from left to right and describe

About the author

Richard Brauchle's picture Richard Brauchle

Rich Brauchle is Vice President and Co-Founder of Testware Associates, a New Jersey-based software testing consulting services firm. Before Testware, Rich worked as a software engineer for Asea Brown Boveri. Rich holds a BS in Electrical Engineering from Rensselaer Polytechnic Institute and an MBA from Rutgers University. Unless you're sending spam, he can be reached at richb@testwareinc.com.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

May 04
May 04
May 04
Jun 01