“It's vital to understand how application cookies work and how they can affect the privacy and experience of our application's end users. This way, end users can be protected from privacy violations and can fully enjoy UX enhancements that cookies can offer.”
What (and why) do testers need to know about application cookies?
Application cookies described in 30 seconds or less
Application cookies are becoming increasingly important in our day and age. They can provide a better and smoother user experience, but they also come with many security concerns that need to be addressed while testing. Â
To test browser cookies properly, we first need to understand what cookies are and the contexts in which they are used. Knowing how to test cookies (and the various ways in which they can be manipulated) can be a very handy and valuable skill for a software tester. Â
Why are cookies important for data privacy and user experience?
Since they are small, relatively simple text files, cookies might seem trivial and harmless. After all, they are stored on your system by websites you choose to visit, to remember information about your browsing session.Â
Cookies can be and usually are used in ways that benefit the end user, like saving your preferences and personalizing website visits. But they can also be used to keep track of your online activity and share your personal data with third-party companies, which can raise privacy concerns.Â
A few years ago, the European Union implemented the GDPR for regulation and disposal of sensitive personal data. Since cookies pose a security risk with regard to the storage of such data, websites must now clearly explain and ask for consent from site visitors before placing any personal-data cookies on their device. If you do not consent, the site can’t place any cookies on your device; you must give affirmative consent. Consent must be: informed, meaning that the end user needs to be told to what effect cookies will be used and what personal data might be stored in them; freely given; and unambiguous. Testers who are not in the EU take note: the GDPR governs your website's use by people who live in EU countries, no matter where your company or servers are.Â
A world of cookie types
All application cookies have some characteristics in common, such as expiration, persistence, access level, and so forth. However, some functionality is specific to certain types of cookies. For example, Flash cookies aren’t stored in the web browser, unlike most others.Â
In this article we will cover each type of cookie to see their specifics and understand better how they work behind the scenes.
So let’s dive into different types of cookies and how we can test them!
How long should cookies last? Duration-based cookies
Session cookiesÂ
These cookies track the end user’s interactions with the website and are tied to a single session. They are temporary and help websites recognize the user in the active session, such as shopping in an online store.Â
Session cookies are also used to:
- Remember that the user is logged in (has an active session)
- Preserve form data so that, for example, if a user fills out a contact form, navigates to another screen, and then returns, their input isn’t lost
- Store site preferences, like your language of choice, if you’re using a dark or light theme, and so forth
Persistent cookiesÂ
These cookies are persisted on your system even after you close your browser. This helps if, for example, you want to stay logged into your account without having to log back in. However, even these cookies must be deleted after 12 months.Â
Persistent cookies serve to:
- Remember the end user's settings, such as language, theme, and font size
- Store encrypted login info when using automatic sign-in
- Track user behavior via analytics across multiple sessions
- Enable personalized content based on the user’s browsing history and interests
Some subtypes of persistent cookies are:
- Tracking cookies:Â These track user behavior across websites and can be a real privacy concern.Â
- Flash cookies: These are also called “Supercookies” since they are permanently stored on your computer. They are used by the Adobe Flash Player, but with the decline of Flash usage they aren't as common as they used to be. They are also known as LSOs (Local Shared Objects) and can persist even after other cookies are deleted, since they are not managed by the web browser.
- Zombie cookies: These often have legitimate uses, like the prevention of cheating in online games. However, they can be used for malicious purposes too. Sometimes they are re-created after being deleted, and then they are used to install malicious software on the end user’s device. They tend to be difficult to detect and delete: for example, they can access the browser’s local storage or other mechanisms that aren't accessible to the typical end user. Sometimes they use XSS (cross-site scripting) to inject code from malicious websites, making it harder to get rid of them. Or they might be persisted on the server, making it difficult to remove them from the client side due to access issues.
Who created the cookies? Creator ID-based cookiesÂ
Note that these types of cookies can be either session-based or persistent.
First-party cookiesÂ
Stored directly by the code of the site you’re visiting, first-party cookies collect data for analytics, store language settings, and manage any other configuration needed to make the user experience smoother and more convenient. You can view and manipulate them by selecting the options for the site directly from the URL bar. They remember your login status, site preferences, site navigation tracking, and data like shopping cart content.
Third-party cookies
Advertisers whose code is hosted by a website you visit may store third-party cookies to show you targeted ads. For example, you do a web search for a product and after that you see ads for identical or similar products. These cookies can serve abusive purposes and they are often part of regular security testing checks.Â
Since they are set by a different domain than the one your company uses to serve its web site, they can get missed in testing even though they need to be tested thoroughly.Â
Suggestions for testing application cookies
What's universal for testing all cookie types?
When testing any type of cookie, keep the following in mind:
- Detection and inspection: Use browser developer tools to identify and inspect cookies, including name, value, domain, path, expiration date, and HTTP-only flag.
- Creation and storage: Verify that cookies are created when expected, such as upon page load or after a user action. Ensure they are stored correctly on the user's device.
- Retrieval and persistence: Test if cookies are retrieved correctly on subsequent page loads, for consistent user experience. Validate their persistence based on their defined expiration date or session-based nature.
- Deleting and managing cookies: Check to see if cookies can be deleted manually through browser settings or automatically upon expiration.
- Security testing: Make sure that cookies are transmitted securely over HTTPS and are marked as HTTP-only to prevent malicious exploits by client-side scripts.
What’s unique when testing specific types of cookies?
Â
Session cookies
- Verify creation and deletion at the start and end of the session. Deletion at the end of the browser session especially needs to be confirmed so that no information, private or otherwise, is retained other than that which the user consented to.Â
- Test storing of session-specific data, such as user preferences or shopping cart items.
- Check to make sure they are NOT persistent across browser restarts.
Persistent cookies
- Check the name, value, domain, path, and expiration date.Â
- Try modifying the values of the cookie to identify potential security risks.
- Clear the browser cache to observe how the website behaves and to make sure that persistent cookies are set properly.
- Investigate how they perform in multiple browser sessions. For example, upon closing the browser and starting a new session, the persistent cookie should still be there.
- Check a variety of browsers and devices to verify that the cookie is compatible with all of them and that it provides a consistent user experience.
Flash cookies
- Test detection and removal using specialized tools (like FlashCookiesView)
- Verify behavior when accessing Flash content on websites.
- Check persistence across browser sessions and after restarts of the device.
First-party cookies
- Test creation and storage upon first-page load and after user interactions.
- Check expiration dates and persistence across several browser sessions.
- Ensure they are accessible only to the intended domain and path, to avoid exploits.
Third-party cookies
- Check that they are set by third-party domains and have appropriate scopes.
- Make sure that user consent is obtained for their usage, especially for tracking and advertising purposes.
- Test how they affect user privacy and data protection.
Tools and techniques for testing cookies
Developer tools in the browser
With browser developer tools like Chrome’s DevTools, you have a built-in way to inspect, edit, and delete cookies.Â
If we navigate to the Application section of Developer Tools, we can see details about the cookies the website is using and we can view, delete, or manipulate them.
Automated checking tools
Tools like Selenium WebDriver, Playwright, and others can be used to verify cookie attributes and behavior. This can save testers some time, and the tools can act like an alarm system if something goes wrong with a cookie our website is using.Â
These tools can simulate end-user behavior and interactions with our website, and they can be used to verify how our cookies behave across multiple sessions.Â
Good old “manual” testing
While it’s true that automation can help make testing of application cookies much faster, there are cases where the human touch is required. Test automation solutions will only cover exactly what we instruct them to do. Actual human testing is still very much needed and welcomed, to explore our cookies to identify edge cases and to make sure cookies are implemented in an intuitive way that improves the user experience of our customers.
To wrap up
It's vital to understand how application cookies work and how they can affect the privacy and experience of our application's end users. This way, end users can be protected from privacy violations and can fully enjoy the UX enhancements that cookies can offer.Â
For more information
- Cookies are here to stay...for now, Aj Wilson
- But I'm Not A Security Tester! Security Testing On The Web For The Rest Of Us, Kate Paulk
- Browser Cache Basics For Software Testers, Ioan Solderea
Â