Reading:
All about application cookies: Software tester edition
RiskStorming image
An educational tool to explore Risk Analysis and Quality Strategy building with the whole team.

All about application cookies: Software tester edition

Discover how cookies affect privacy and UX to be able to test and secure applications effectively.

An illustration of a large cookie-shaped asteroid with chocolate chips orbiting in space. A happy orange astronaut MoT monster with three eyes floats nearby, and a small, grinning MoT monster with utensils pops out of the cookie planet.

“It's vital to understand how application cookies work and how they can affect the privacy and experience of our application's end users. This way, end users can be protected from privacy violations and can fully enjoy UX enhancements that cookies can offer.”

What (and why) do testers need to know about application cookies?

Application cookies described in 30 seconds or less

Application cookies are becoming increasingly important in our day and age. They can provide a better and smoother user experience, but they also come with many security concerns that need to be addressed while testing.  

To test browser cookies properly, we first need to understand what cookies are and the contexts in which they are used. Knowing how to test cookies (and the various ways in which they can be manipulated) can be a very handy and valuable skill for a software tester.  

Why are cookies important for data privacy and user experience?

Since they are small, relatively simple text files, cookies might seem trivial and harmless. After all, they are stored on your system by websites you choose to visit, to remember information about your browsing session. 

Cookies can be and usually are used in ways that benefit the end user, like saving your preferences and personalizing website visits. But they can also be used to keep track of your online activity and share your personal data with third-party companies, which can raise privacy concerns. 

A few years ago, the European Union implemented the GDPR for regulation and disposal of sensitive personal data. Since cookies pose a security risk with regard to the storage of such data, websites must now clearly explain and ask for consent from site visitors before placing any personal-data cookies on their device. If you do not consent, the site can’t place any cookies on your device; you must give affirmative consent. Consent must be: informed, meaning that the end user needs to be told to what effect cookies will be used and what personal data might be stored in them; freely given; and unambiguous. Testers who are not in the EU take note: the GDPR governs your website's use by people who live in EU countries, no matter where your company or servers are. 

A world of cookie types

All application cookies have some characteristics in common, such as expiration, persistence, access level, and so forth. However, some functionality is specific to certain types of cookies. For example, Flash cookies aren’t stored in the web browser, unlike most others. 

In this article we will cover each type of cookie to see their specifics and understand better how they work behind the scenes.

So let’s dive into different types of cookies and how we can test them!

How long should cookies last? Duration-based cookies

Session cookies 

These cookies track the end user’s interactions with the website and are tied to a single session. They are temporary and help websites recognize the user in the active session, such as shopping in an online store. 

Session cookies are also used to:

  • Remember that the user is logged in (has an active session)
  • Preserve form data so that, for example, if a user fills out a contact form, navigates to another screen, and then returns, their input isn’t lost
  • Store site preferences, like your language of choice, if you’re using a dark or light theme, and so forth

Persistent cookies 

These cookies are persisted on your system even after you close your browser. This helps if, for example, you want to stay logged into your account without having to log back in. However, even these cookies must be deleted after 12 months. 

Persistent cookies serve to:

  • Remember the end user's settings, such as language, theme, and font size
  • Store encrypted login info when using automatic sign-in
  • Track user behavior via analytics across multiple sessions
  • Enable personalized content based on the user’s browsing history and interests

Some subtypes of persistent cookies are:

  • Tracking cookies: These track user behavior across websites and can be a real privacy concern. 
  • Flash cookies: These are also called “Supercookies” since they are permanently stored on your computer. They are used by the Adobe Flash Player, but with the decline of Flash usage they aren't as common as they used to be. They are also known as LSOs (Local Shared Objects) and can persist even after other cookies are deleted, since they are not managed by the web browser.
  • Zombie cookies: These often have legitimate uses, like the prevention of cheating in online games. However, they can be used for malicious purposes too. Sometimes they are re-created after being deleted, and then they are used to install malicious software on the end user’s device. They tend to be difficult to detect and delete: for example,  they can access the browser’s local storage or other mechanisms that aren't accessible to the typical end user. Sometimes they use XSS (cross-site scripting) to inject code from malicious websites, making it harder to get rid of them. Or they might be persisted on the server, making it difficult to remove them from the client side due to access issues.

Who created the cookies? Creator ID-based cookies 

Note that these types of cookies can be either session-based or persistent.

First-party cookies 

Stored directly by the code of the site you’re visiting, first-party cookies collect data for analytics, store language settings, and manage any other configuration needed to make the user experience smoother and more convenient. You can view and manipulate them by selecting the options for the site directly from the URL bar. They remember your login status, site preferences, site navigation tracking, and data like shopping cart content.

Third-party cookies

Advertisers whose code is hosted by a website you visit may store third-party cookies to show you targeted ads. For example, you do a web search for a product and after that you see ads for identical or similar products. These cookies can serve abusive purposes and they are often part of regular security testing checks. 

Since they are set by a different domain than the one your company uses to serve its web site, they can get missed in testing even though they need to be tested thoroughly. 

Suggestions for testing application cookies

What's universal for testing all cookie types?

When testing any type of cookie, keep the following in mind:

  1. Detection and inspection: Use browser developer tools to identify and inspect cookies, including name, value, domain, path, expiration date, and HTTP-only flag.
  2. Creation and storage: Verify that cookies are created when expected, such as upon page load or after a user action. Ensure they are stored correctly on the user's device.
  3. Retrieval and persistence: Test if cookies are retrieved correctly on subsequent page loads, for consistent user experience. Validate their persistence based on their defined expiration date or session-based nature.
  4. Deleting and managing cookies: Check to see if cookies can be deleted manually through browser settings or automatically upon expiration.
  5. Security testing: Make sure that cookies are transmitted securely over HTTPS and are marked as HTTP-only to prevent malicious exploits by client-side scripts.

What’s unique when testing specific types of cookies?
 

Session cookies

  • Verify creation and deletion at the start and end of the session. Deletion at the end of the browser session especially needs to be confirmed so that no information, private or otherwise, is retained other than that which the user consented to. 
  • Test storing of session-specific data, such as user preferences or shopping cart items.
  • Check to make sure they are NOT persistent across browser restarts.

Persistent cookies

  • Check the name, value, domain, path, and expiration date. 
  • Try modifying the values of the cookie to identify potential security risks.
  • Clear the browser cache to observe how the website behaves and to make sure that persistent cookies are set properly.
  • Investigate how they perform in multiple browser sessions. For example, upon closing the browser and starting a new session, the persistent cookie should still be there.
  • Check a variety of browsers and devices to verify that the cookie is compatible with all of them and that it provides a consistent user experience.

Flash cookies

  • Test detection and removal using specialized tools (like FlashCookiesView)
  • Verify behavior when accessing Flash content on websites.
  • Check persistence across browser sessions and after restarts of the device.

First-party cookies

  • Test creation and storage upon first-page load and after user interactions.
  • Check expiration dates and persistence across several browser sessions.
  • Ensure they are accessible only to the intended domain and path, to avoid exploits.

Third-party cookies

  • Check that they are set by third-party domains and have appropriate scopes.
  • Make sure that user consent is obtained for their usage, especially for tracking and advertising purposes.
  • Test how they affect user privacy and data protection.

Tools and techniques for testing cookies

Developer tools in the browser

With browser developer tools like Chrome’s DevTools, you have a built-in way to inspect, edit, and delete cookies. 

If we navigate to the Application section of Developer Tools, we can see details about the cookies the website is using and we can view, delete, or manipulate them.

Automated checking tools

Tools like Selenium WebDriver, Playwright, and others can be used to verify cookie attributes and behavior. This can save testers some time, and the tools can act like an alarm system if something goes wrong with a cookie our website is using. 

These tools can simulate end-user behavior and interactions with our website, and they can be used to verify how our cookies behave across multiple sessions. 

Good old “manual” testing

While it’s true that automation can help make testing of application cookies much faster, there are cases where the human touch is required. Test automation solutions will only cover exactly what we instruct them to do. Actual human testing is still very much needed and welcomed, to explore our cookies to identify edge cases and to make sure cookies are implemented in an intuitive way that improves the user experience of our customers.

To wrap up

It's vital to understand how application cookies work and how they can affect the privacy and experience of our application's end users. This way, end users can be protected from privacy violations and can fully enjoy the UX enhancements that cookies can offer. 

For more information

 

Testing Consultant
I'm a tech geek, casual gamer, and sci-fi enjoyer. I love talking about software testing and being part of the testing community.
Comments
RiskStorming image
An educational tool to explore Risk Analysis and Quality Strategy building with the whole team.
Explore MoT
Episode Eight: Exploring Quality Engineering image
Explore the principles and practices of quality engineering
Introduction To Accessibility Testing
Learn with me about what Accessibility is, why it's important to test for and how to get your team started with an Accessibility testing mindset
This Week in Testing
Debrief the week in Testing via a community radio show hosted by Simon Tomes and members of the community
Subscribe to our newsletter
We'll keep you up to date on all the testing trends.