How to Test Cookies in a Stateful Web System


with pizza/beer, or get access to some design documents or specifications to get any further here.

Cookie Tasting, er, Testing
Now that we're in the know about what cookies are, how they're used to provide state in Web systems, and what cookie contents look like, let's address how to test sites that use cookies.

1. Disabling Cookies
This is probably the easiest area of cookie testing. What happens to the Web site if all cookies are disabled? Start by closing all instances of your browser and deleting all cookies from your PC set by the site under test. The cookie file is kept open by the browser while it's running, so you must close the browser to delete the cookies. Closing the browser also removes any per-session cookies in memory.

Disable all cookies and attempt to use the site's major features and functions. Most of the time, you will find that these sites won't work when cookies are disabled. This isn't a bug, but rather a fact of life: disabling cookies on a site that requires cookies (of course!) disables the site's functionality.

With cookies disabled, your testing job is somewhat reduced. Can the user perform any operations on the site? Is it obvious to the Web site user that he must have cookies enabled to use the site? Is the Web server recognizing that its attempts to set cookies are failing? If so, does it send a page to the user stating, in plain language, that cookies must be enabled for the site to work? Or can the user frustratingly attempt the same operation many times in a row without a clue as to why the site isn't working? passes this test and then some. I was able to use all major aspects of the site-searching, shopping cart, checkout functions-even though cookies were completely disabled. It appears that state maintenance was being taken care of server-side, based on the session ID at the end of the home page URL. For example, I chose the Yamaha CD-ROM kit on the amazon home page and added it to my shopping cart. The shopping cart page URL was…/one-click-thank-you-confirm/107-0357560-1728507. Changing the rightmost digit from 7 to 8, and posting this edited URL, lost my shopping cart and brought up the following error page, lending further support to the probability of server-side state maintenance with a session ID in the URL.


Figure 5
FIGURE 5 Bug alert

This server-side state maintenance allows someone to shop at even if they have totally disabled cookies-an intelligent design. If cookies are enabled, though, we saw previously that amazon sets a session ID cookie to "remember" your session ID. Why? If you leave the site with something in your shopping cart and then return, the session ID cookie is used to resume your previous shopping session and shopping cart state.

2. Selectively Rejecting Cookies
What happens to the site if some cookies are accepted and others are rejected? Start by deleting all cookies from your PC set by the site under test and set your browser's cookie option to prompt you whenever a Web site attempts to set a cookie. Exercise the site's major functions. You will be prompted for each and every cookie the site attempts to set. Accept some and reject others. (Analyze site cookie usage in advance and draw up a test plan detailing what cookies to reject/accept for each function.) How does the site hold up under this selective cookie rejection? As above, does the Web server detect that certain cookies are being rejected and respond with an appropriate

About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.