How to Test Cookies in a Stateful Web System

[article]

what each field is used for.

  • .amazon.com is the domain for which this cookie is valid. Only cookies set by machines in the amazon.com domain can read this cookie. (Note: Bugs in Web browser cookie implementation have allowed unauthorized sites to access cookies in the past.)
  • FALSE (1 st occurrence) is a flag indicating whether or not the cookie can be accessed by all machines in the domain.
  • / is the path the cookie is valid for.
  • FALSE (2 nd occurrence) is a secure flag indicating whether or not a secure (encrypted) connection is needed to access the cookie.
  • 994320128 is the UNIX expiration time of the cookie. UNIX time is the number of seconds since January 1, 1970 00:00:00 GMT.
  • session-id is the name of the variable stored by this cookie.
  • 102-7224116-8052958 is the value of this cookie.

Amazon.com Cookie Analysis
Our cookie experiment for amazon.com showed us that simply loading the Amazon home page creates six cookies: one per-session (non-persistent) cookie and five persistent cookies. Since the site design documents and developers are unavailable to us, let's put the cookie data into a table and try to decipher what the cookies are used for and the meaning of the cookie data. We will consider only the first five cookies, since we determined the purpose of the sixth cookie ( www.amazon.com FALSE / FALSE
993797034 seenpop 1)
is to "remember" if the user sees the promotional popup.

cookie #

domain

accessible by all machines

path

secure connection needed

expiration

name

value

1

.amazon.com

TRUE

/

FALSE

994320128

session-id

102-7224116-

8052958

2

.amazon.com

TRUE

/

FALSE

994320181

session-id-time

994320000

3

.amazon.com

TRUE

/

FALSE

2082787330

ubid-main

077-4356846-

2652328

4

.amazon.com

TRUE

/

FALSE

(per-session cookie)

obidos_path

(see figure 3)

5

.amazon.com

TRUE

/

FALSE

2082787787

x-main

hQFiIxHU

Fj8mCscT

@Yb5Z7xs

VsOFQjBf

The first cookie is a session ID assigned to my shopping session by the amazon server. The primary giveaway here is the variable name "session-id." (I can hear you saying, "Thanks for the revelation, Rich.") Another clue is that the data in its value field, 102-7224116-8052958, can be found at the end of the home page URL which appeared after the 5 th cookie was set, www.amazon.com/…/home.html/102-7224116-8052958. Cookie 1 expires on 7/5/2001, based on the warning dialog I saw in Netscape before the cookie was set. So the UNIX expiration time 994320128 in this cookie must  orrespond to 7/5/2001.

The second cookie's purpose isn't obvious. Based on its name and value, session-id-time and 994320000, respectively, I would guess it is the maximum possible "end" time in UNIX time of my amazon.com session. I know from the Netscape warning above that this cookie expires on 7/5/2001, so I can infer that the expiration value of 994320181 in this cookie also corresponds to 7/5/2001 (approximately 3 minutes from the UNIX time listed in the previous cookie).

The purpose of cookies 3 and 5 is yet even harder to decipher. The names of cookies 3 and 5, ubid-main and x-main, don't lend us any immediate understanding. Both of these cookies expire in 2036, so whatever amazon is tracking here, it must be of long-term use.

The fourth cookie, the only per-session / nonpersistent cookie, contains a long value with the substring "continue-shopping-url." I would guess this cookie value tells the amazon Web server where to send me if I click the "Continue Shopping" button on the shopping cart page. As before, I'm having a hard time determining with certainty what this cookie is used for without further investigation.

I'd have to talk to the amazon developers, possibly bribe them

About the author

Richard Brauchle's picture Richard Brauchle

Rich Brauchle is Vice President and Co-Founder of Testware Associates, a New Jersey-based software testing consulting services firm. Before Testware, Rich worked as a software engineer for Asea Brown Boveri. Rich holds a BS in Electrical Engineering from Rensselaer Polytechnic Institute and an MBA from Rutgers University. Unless you're sending spam, he can be reached at richb@testwareinc.com.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

May 04
May 04
May 04
Jun 01