- Feb 25,2011
- In: Articles
Testing Cookies
Virtually any modern web application you want to or not, uses cookies. And, of course, that they, like any other part of the application, require the attention of the tester. So let us try to understand what cookies are and what they eat, and most importantly – why.
Cookies – who are they?
Before proceeding to test the cookies would be nice to find out what they look like. Let’s try to do it.
So, the cookies – it’s a certain amount of data created by a web server and stored on the client machine as a file that can later be transferred to the client software back to the web server in the HTTP-request. Purpose of cookies – storage of user data on the client. These data are needed to deal with some drawbacks HTTP-protocol, as well as for the implementation of any utility, which will be discussed later.
Probably, we should clarify what is meant by the struggle with the shortcomings HTTP-protocol. The fact that this protocol can not save its state, ie using the means of only one HTTP you will never get to track the relationship between pairs of request-reply ". In practice this means – for example, on your site, there are three pages page1.htm, page2.htm and page3.htm, come to the site are two users, one first views a page page1.htm, and the second page3.htm, then both go to page page2.htm, and so, in this case is no difference between the requests of the first and second user to receive this page will not be, ie, Web server can not find out what pages users visited before came to a page page2.htm.
The second problem is the use of HTTP is that for each query protocol establishes a new TCP-session and ending the cycle of "challenge-response" as soon as it closes. This greatly complicates the identification of the user, as it denies the possibility to implement authentication by means of the protocol itself (HTTP-authentication shall not take, because it requires the transfer of credentials for each access to the server). In fairness, I note that in HTTP1.1 was realized the opportunity to carry out multiple queries within a single TCP-session, but … it is quite another story … 
Both of these problems can be easily solved with the help of cookies, which can store identification data and various service information to help track the user’s actions.
By the way, I have often mentioned that in a cookie can store certain information, so it would be nice to say and that they represent themselves physically. In fact, cookies – text files are small (less than 4096 bytes), which contains several fields, such as:
- cookie name
- directly to user information,
- domain name who owns the cookie
- path within the domain for which this cookie is valid,
- connection type for which it should be transmitted (using SSL or not),
- time during which the cookie is valid.
Where and how to store cookies (and keep them there at all) specifies directly, the client (usually a browser). The time during which the cookie will be stored in the client software, may vary, and is given for each cookie separately. Based on the storage time, the cookies are divided into session (those that will be removed immediately after the close of the session between the browser and server) and fixed (those that will be deleted after a certain date in the Expires).
Transfer cookies from server software to a client implemented in HTTP-request by adding to it the field Set-Cookie, in the opposite direction of the cookies are sent in the Cookie.
On this short story about what a cookie is to finish. The most curious, I recommend to study the specification RFC2965 and Wikipedia, and we still try to figure out why the cookies are used in real web applications.
Cookies – what are they?
What you can do with cookies? In fact, a lot of things without which it is difficult to imagine modern Web, as follows:
1.Autentifikatsiya
Many Web applications require authentication for access to certain functions or data. Examples of such applications can also serve as the site where you are now, because in order to add a comment or download any file you need to enter your username and password. Like, nothing special, but let’s think here is something – you enter the password only once, but it can add a dozen comments or download a dozen files. How does the site "recognizes" you and why not ask to repeat the authentication procedure each time? It’s simple. Once you have entered your username and password, the server has generated for you a unique key and send it as a cookie to your browser. Now, if you ask each new page, the browser sends the cookie back to the server, which, in turn, verifies the key is written in it with a list of keys known to the user, and then make a decision about what to give you the same page and what actions you allow, and what does not. Moreover, this cookie is not deleted after you leave the site and stored by your browser for a few days, saving you from having to go through the login process on subsequent visits.
2. Personalization
Often, Web sites allow users to change some settings page display, for example, colors, or Language. Again, it is quite usual thing, if not one but several Web sites allow you to do this even unauthenticated users. Where it stores these settings? That’s right – in a cookie. As an example, look at everybody’s favorite / least favorite Vkontakte. Try to change the language on the registration page, and then close your browser and reopen the same page. Ironically, the language remains the same that you have selected before closing the browser, and all this thanks to a cookie called remixlang, containing the code of your chosen language.
3. Statistics Collection
Quite naturally, every owner of a Web site wants to know who, when, and why it went to the resource. And even more naturally, that this desire for webmasters found its realization in the tens and hundreds of services online statistics. And, of course, the work of these services would have been impossible without cookies. Why? Yes, because without the use of cookies, they would have to put it mildly, are useless, because in this case, the information they provide would be limited to a list of IP addresses with time visit, and the referer field data about the user environment (OS, browser, etc.). The usefulness of such statistics to zero, the more that the number of unique visits to the web master be able to find themselves without resorting to outside help. Know about it and the creators of such services, and so shamelessly litter your browser has lots of different cookies, which subsequently will answer questions of interest to both site owners: "Who would come?", "Why come?", "How many came?" How much time is spent? "," What else attended? ". Do not believe that after you watch with just a cookie? Then refresh the page;)
4. Internet Marketing
Apart from the fact that cookies are used to gather statistics, they also successfully applied to the profit from the same statistics. Look for Yandex Direct, Google AdSense or any other advertising service. Surely, you can easily find the relationship show you ads are not only subject to the site where you are now, but with the subjects of a site you visited before and even with search queries introduced earlier in Yandex and Google. Such a target, again, owes its existence to the cookie, because it is a cookie stored in your browser allow advertising networks to choose topics of ads that could potentially be of interest to you.
5. Baskets in online shops
Another striking example of the use of cookies, are baskets of online stores. Rarely a shop would risk a potential buyer, forcing him to register, so customers are allowed to make purchases by entering only the most necessary contact information. All is good, but what about buyers who do not wish to register, but they want to purchase several items? In this case, is unlikely to keep a list of items in their cart in the usual way, because for the implementation of this functional again resorted to the use of a cookie that records the unique identifier corresponding to a specific set of items in cart.
All of the above, only a small part of what can be implemented using cookies. But in my opinion, the above examples are enough to realize how important cookies in today’s web, and that you are no longer any doubt that they need testing. So let’s get to the part for which, in fact, was started writing this article. Thus, testing.
Cookies – what to test?
1.Make that the cookies do not store confidential information
Ideally, the sensitive data in cookies should not be. Why? Yes, because no built-in protection mechanism in the cookie is not, and, if necessary, they will be able to access by anyone. If you have no choice, and cookies to be stored such data, then make sure that they are not stored in clear text and that use encryption, in fact, is not something enkoda in Base64.
2. Check the number of cookies used
Clear answer to the question of how many cookies should be – no. We can not say that 10 cookies – well, a 12 – badly. Here, rather, should be guided by the principle – the smaller the better. A small number of cookies will be able to save you from a nervous breakdown of many corporate users of either conventional paranoids who have a browser enabled «Ask me before accepting cookies». Also do not forget that the amount received browser cookies are also not infinite. For most modern browsers this figure hovering around 50 pieces for a single domain. By the way, if your project, the number of cookies start to approach that point, the … you obviously doing something wrong.
3. Make sure that the application maintains its efficiency when switched off or Accept cookies
If the application is actively using cookies, then most likely it will not function properly if their reception will be disabled in your browser. But at the same time, its behavior should be adequate, ie application should not pour eksepshenami and spewing various Error’y Server, instead it should be unobtrusive:) prompt the user to enable reception of cookies. The same applies to the selective admission cookies. In order to selectively accept cookies, simply enable your browser’s option "Ask me before you accept cookies" and try to take, for example, only half of all cookies sent to the site.
4. Make sure that the application adequately responds to delete cookies manually
Just close the testing site and delete all the cookies stored them out of your browser and then reopen the site and watch what is happening to him. A place … should not, absolutely nothing. The application must remain fully operational.
5. Check application response to the damaged cookies
No one is immune from the fact that the data transfer from server to client or vice versa there will be no failures, which can lead to data corruption. Naturally, in such a situation can be damaged and cookies, so try to hurt them intentionally, and then observe the behavior of the application under test.
6. Make sure that cookies are stored and removed it to the pages on which it is expected and necessary
If your application uses cookies to track any user action (for example, a ticket to technical support, or you order from online stores), then you should check that the relevant cookies are created at a time when the user initiates a new action and removed after the completion of the action. For example, when ordering from an online store, where the user needs to consistently fill in forms on several pages, the cookie should be created at the time you click the "Checkout" and removed after all the necessary data will be sent to the server (by the way, in this case must be removed not only cookies, which are "escorted" the user in the order process, but also those who are responsible for the contents of the basket of goods).
7. Make sure that cookies are working correctly in all browsers that will be used by application
All have long been accustomed to cross-browser testing, because they know that every browser has its own donors, and because the behavior of the application may vary from browser to browser. However, it would seem, at what is a cookie? Like, all modern browsers support DOM1 declare and provide virtually the same mechanism to access cookies. But, nevertheless, problems are also possible here, for example, if the cookies are set / read using JavaScript (on cross-browser JS-scripts, I hope to talk is not needed), or the browser itself has its own quirk about this.
8. Verify that the access to different parts of the application can not be done to bypass the cookie used for authentication or authorization
Some Web sites transmit user IDs in the clear, for example, in the URL. Naturally, the substitution of these identifiers should not be able to access the accounts of other users. To make it clearer what was going on, try to log in and go to edit my profile on this site, then try to replace your UserID, specified in the URL to any other.
At this perhaps all. Those who expected to see in this post something about XSS, my apologies:). I think that this topic even though concerns cookies, but still requires a separate discussion.