How to Test Cookies in a Stateful Web System


are deleted when you close your Web browser; they only exist for the single Web surfing session beginning when you start the browser and ending when you close the browser.

Cookie Usage by
Let's make the cookie concepts we've discussed more concrete by examining how uses cookies. In doing so, we will also encounter a common problem in "cookie testing"-figuring out what the hieroglyphic-like information in the cookie means! We'll navigate through the site to discover where cookies are employed.

To start, I deleted all Netscape cookies from my PC and set the cookie option to prompt me whenever the Web site sets a cookie. Next, I navigated to

We get a prompt indicating that the site wants to set a "session-id" cookie. I then open Netscape's cookies.txt file and copy/paste the cookie details into a "cookie log" with my observations for later analysis. A word of warning: some sites are highly active with cookies, setting or modifying them on every page you visit. Creating the cookie log on these types of sites will be time consuming and drive you to a certain level of insanity. Getting as much info as possible in advance about cookie activity from the developers is your best bet in this situation.

So we record the following data for the first cookie. TRUE / FALSE 994320128 session-id 102-7224116-8052958

The prompt that Netscape presented me with indicated the cookie will expire on Thursday July 5, 2001, one week from my visit. (We'll explore the details in the next two sections.)

The second cookie set by amazon contained the following data and also expires
on 7/5/2001. TRUE / FALSE 994320181 session-id-time 994320000

Amazon's third cookie contained the following and expires on 1/1/2036. Since my laptop will be reduced to either paperweight or landfill status by then, this is pretty much a "permanent cookie" relative to the useful life of my laptop. TRUE / FALSE 2082787330 ubid-main 077-4356846-2652328

The fourth cookie is a per-session cookie, since the Netscape prompt did not include an expiration date. Since per-session cookies aren't written to the hard drive, examining the cookie content can be done only through the actual Netscape prompt.

Figure 3

FIGURE 3 Per-session cookie

The fifth cookie expires on 1/1/2036 and contained the following data. TRUE / FALSE 2082787787 x-main [email protected]

After accepting this fifth cookie, the home page (finally!) displayed. The URL of the home page was

Have we seen that number sequence at the end of the URL before? Yes, it's the session ID stored in the first cookie.

A sixth cookie containing the following data and expiring on 6/29/2001 was then set. FALSE / FALSE 993797034 seenpop 1

Upon accepting this cookie, a secondary browser window popped up with a free shipping promotion notice. A logical guess at this cookie's purpose, then, would be that it tracks whether or not you've seen the promotion popup ad.

After all of these cookies were set, my Netscape cookies.txt file looked like this:

Figure 4

FIGURE 4 Cookie file

Why are there are only five cookies in the file? The per-session cookie is kept in memory only; it is not written to the cookies.txt file.

So What's Inside a Cookie?
Before we attempt to analyze all of the cookies set by, let's take a quick look at cookie structure and the meaning of cookie data.

The first cookie set by amazon was: TRUE / FALSE 994320128 session-id 102-7224116-8052958

Using the information at, I'll break the cookie down into its individual fields from left to right and describe

About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.