How to Test Cookies in a Stateful Web System


The last cookie test I'll mention is a simple one. While investigating cookie usage on the site you're testing, pay particular attention to the meaning of the cookie data. Sensitive information like usernames and passwords should NOT be stored in plain text for all the world to read; this data should be encrypted before it is sent to your computer. I've tested many sites where this seemingly obvious rule has been violated. A case can certainly be made that certain types of sensitive data-credit card numbers, for example-should never be stored in cookies, even encrypted.

Based on the cookie analysis we performed above, I'd say amazon easily passes the cookie encryption test. No sensitive user or credit card information is stored in plain text.

Wrap Up
State information can be maintained in Web systems by the use of cookies. Other methods for maintaining state include hidden form fields and embedding state data in HTML links; I recommend that Web testers explore these methods as well. Our job as testers is to find out, by talking to developers, reading system documentation, or experimenting with the Web site, which of these technologies are being used and to design tests accordingly.

Further Information


About the author

Richard Brauchle's picture Richard Brauchle

Rich Brauchle is Vice President and Co-Founder of Testware Associates, a New Jersey-based software testing consulting services firm. Before Testware, Rich worked as a software engineer for Asea Brown Boveri. Rich holds a BS in Electrical Engineering from Rensselaer Polytechnic Institute and an MBA from Rutgers University. Unless you're sending spam, he can be reached at

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, is the place to go for what is happening in software development and delivery.  Join the conversation now!