What Are Cookies and How to Test Them?

An HTTP cookie (Internet cookie, browser cookie) is a small piece of data (part of the http header) that a web server stores in a text file on the user’s (client’s) hard drive. This piece of information is then sent back to the server every time the browser requests a page from the server.

Typically, cookies contain personalized user data or information that is used to determine if two requests came from the same browser – for example, to log a user into a system or to communicate between different web pages. It memorizes stateful information for the stateless HTTP protocol.

Cookies are mainly used for three purposes:

• Session Management: Logins, shopping carts, game results, and everything the server needs to remember
• Custom settings, themes, and other settings
• Recording and analyzing user behavior

Cookies mainly consist of three elements:

• Server name (the one that sent the cookie)
• Cookies Lifetime
• Randomly generated unique number

The maximum cookie size is 4 kilobytes (4096 bytes), in some sources 4093 bytes.

Types of Cookies

1. Session Cookies

Session cookies, also known as temporary cookies, only exist in temporary memory: while a user is browsing the webpage. Browsers usually delete these cookies when a user closes the browser. Session cookies do not expire, unlike other types, so browsers treat them as cookies per session.

2. Persistent Cookies

Persistent cookies are deleted on a specific date or after a specific time, unlike session cookies. This means that information about the cookie is transmitted to the server every time the user visits the website to which these cookies belong. This is why persistent cookies are sometimes referred to as tracking cookies. They can be used by advertisers to record users’ preferences over a long time. However, they can also be used for “peaceful” purposes, for example, to avoid re-entering data each time you visit the web page.

3. Third-party Cookies

Typically, the cookie domain attribute is the same as the domain that appears in the address bar of your web browser. This is called the first-party cookie. A third-party cookie, on the other hand, belongs to a domain other than the one written in the address bar. Third-party cookies usually appear when web pages have content from external websites, like, for example, banner ads. This allows tracking a user’s browsing history and is often used by advertisers to deliver relevant ads to a specific user.

4. Supercookies

A supercookie is a cookie with a top-level domain origin (eg .com) or a publicly available suffix (e.g. .co.uk). In contrast, regular cookies are derived from a specific domain name, such as example.com. Supercookies can be viewed as a potential security issue and are often blocked by browsers. If a browser unblocks a malicious website, an attacker could set a supercookie and potentially disrupt or impersonate legitimate user requests for another website that uses the same top-level domain or public suffix as the malicious website. For instance, a supercookie of .com domain might have a malicious impact on a request to example.com, even if it was not generated from that address. This can be used to forge logins or alter user information.

5. Zombie Cookies

Since cookies can be very easily deleted from the browser, programmers are looking for ways to identify users even after completely clearing the browser history. One such solution is zombie cookies (or evercookie) – non-removable or hard-to-remove cookies that can be restored in the browser using JavaScript. This is possible because the website simultaneously uses all available browser storage (HTTP ETag, Session Storage, Local Storage, Indexed DB) to store cookies, including application storage such as Flash Player (Local Shared Objects), Microsoft Silverlight (Isolated Storage), and Java (Java persistence API). When the program detects the absence of a cookie in the browser, information about which is present in other storage, it immediately restores it and, in this way, identifies the user for the website.

Test Cases for Cookie Testing

• Disable cookies: disable all cookies and try to use the basic website functions.
• Damaged cookies: manually edit the cookie in notepad and change the settings to a few random values.
• Cookie encryption: sensitive information such as passwords and usernames must be encrypted.
• Testing cookies in multiple browsers. Make sure your website records cookies correctly in different browsers.
• Check for deletion of cookies from the website.
• Delete Cookies: delete all website cookies and see how the website reacts.
• Cookie access: cookies written by one website should not be accessible by another.
• Avoid overuse of cookies: If the application under test is a public website, you should not abuse cookies.
• Testing with other settings. Testing must be done correctly to ensure that the website performs well with other cookie settings.
• Categorize cookies separately: you should not store cookies in the same category as malware, spyware or spam.