How to Test Cookies in a Stateful Web System


The last cookie test I'll mention is a simple one. While investigating cookie usage on the site you're testing, pay particular attention to the meaning of the cookie data. Sensitive information like usernames and passwords should NOT be stored in plain text for all the world to read; this data should be encrypted before it is sent to your computer. I've tested many sites where this seemingly obvious rule has been violated. A case can certainly be made that certain types of sensitive data-credit card numbers, for example-should never be stored in cookies, even encrypted.

Based on the cookie analysis we performed above, I'd say amazon easily passes the cookie encryption test. No sensitive user or credit card information is stored in plain text.

Wrap Up
State information can be maintained in Web systems by the use of cookies. Other methods for maintaining state include hidden form fields and embedding state data in HTML links; I recommend that Web testers explore these methods as well. Our job as testers is to find out, by talking to developers, reading system documentation, or experimenting with the Web site, which of these technologies are being used and to design tests accordingly.

Further Information


About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.