The last cookie test I'll mention is a simple one. While investigating cookie usage on the site you're testing, pay particular attention to the meaning of the cookie data. Sensitive information like usernames and passwords should NOT be stored in plain text for all the world to read; this data should be encrypted before it is sent to your computer. I've tested many sites where this seemingly obvious rule has been violated. A case can certainly be made that certain types of sensitive data-credit card numbers, for example-should never be stored in cookies, even encrypted.
Based on the amazon.com cookie analysis we performed above, I'd say amazon easily passes the cookie encryption test. No sensitive user or credit card information is stored in plain text.
- www.whatis.com (excellent Web-based technical encyclopedia)
- www.cookiecentral.com (tons of info about cookies)
- Persistent Client State HTTP Cookies Preliminary Specification
- "Behind Closed Doors: What every tester should know about Web privacy" ; by Russ Smith, January/February 2001 issue of STQE magazine (discussion of HTTP GET and POST methods and cookies)
- "E-Business Testing: Test Techniques and Tools -
Risk-Based E-Business Testing Part 2" ; by Paul Gerrard, posted 2/7/2001 on
StickyMinds.com (discussion of HTTP GET and POST methods, cookies, hidden form fields, and security testing).