How to Test Cookies in a Stateful Web System

[article]

message? Or does the site malfunction, crash, corrupt data, or misbehave in other ways?

Let's strategize a selective cookie rejection test for the amazon.com home page. Each test case will require either accepting or rejecting each of the six cookies, so there are 2^6 = 64 possible test cases. A few of the test cases are enumerated in the following table, proceeding as if counting in binary with "reject" being a 0 value and "accept" being a 1 value.

 

test case #

cookie 1

(persistent)

cookie 2

(persistent)

cookie 3

(persistent)

cookie 4

(per session)

cookie 5

(persistent)

cookie 6

(persistent)

1

reject

reject

reject

reject

reject

reject

2

reject

reject

reject

reject

reject

accept

3

reject

reject

reject

reject

accept

reject

4

reject

reject

reject

reject

accept

accept

5

reject

reject

reject

accept

reject

reject

 

64

accept

accept

accept

accept

accept

accept

If I were to run the fourth test case, for example, I would reject the first four cookies every time amazon.com tries to set them, but allow amazon to set the fifth and sixth cookies.

Based on amazon's performance in the disabling cookies test, I would guess that the site would pass most or nearly all of the selective cookie rejection test cases. The first test case is equivalent to the disabling cookies test performed previously, but I'll leave it in the table for completeness. I executed test cases 2 and 5, closing the browser and deleting the cookies before starting each test case. Both passed: I was able to use the site's major functions, as above, without problem. Looks like the site designers ensured that "problems" with cookies would have little or no effect on a customer's ability to shop at  amazon.com.

Note that the test cases above only deal with the cookies being rejected or accepted when amazon.com first tries to create them. We also should test rejecting and accepting cookie modifications . Allow a cookie to initially be set. If/when the Web server attempts to subsequently modify that cookie, what happens if you disallow the change, retaining the "old" value?

3. Corrupting Cookies
Now's our chance to really abuse the site under test! Exercise the site's major features. Along the way, as cookies are created and modified, try things like

  • Altering the data in the persistent cookies. Since the per-session cookies are stored only in memory, they aren't readily accessible for editing.

    First example: in the first cookie written by amazon.com, change the name session-id to something different, perhaps ses-id or sexqion-id. Remember, you will have to close the browser to edit the cookies. After editing the cookie, restart the browser and reload/continue using the site. Did the corrupted cookie cause the site to malfunction? Is any data lost or corrupted in the database? If I visit the amazon site, close the browser, restart the browser and go back to amazon.com, my "previous" session is maintained based on the session ID in the cookie. However, if I corrupt the session ID variable name, amazon detects the corruption and recovers by discarding all six of the cookies and recreating them with new values.

    Second example: change the session-id value in the data field by adding 1 to the rightmost digit; 102-7224116-8052958 becomes 102-7224116-8052959. Are you now looking at someone else's shopping session? Anything lost or corrupted in the database?

  • Selectively deleting cookies. Allow the cookie to be written (or modified), perform several more actions on the site, then delete that cookie. Continue using the site. What happens? Is it easy to recover? Any data loss or corrupted?

4. Cookie Encryption

About the author

Richard Brauchle's picture Richard Brauchle

Rich Brauchle is Vice President and Co-Founder of Testware Associates, a New Jersey-based software testing consulting services firm. Before Testware, Rich worked as a software engineer for Asea Brown Boveri. Rich holds a BS in Electrical Engineering from Rensselaer Polytechnic Institute and an MBA from Rutgers University. Unless you're sending spam, he can be reached at richb@testwareinc.com.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

May 04
May 04
May 04
Jun 01