How cookies work?
To exchange information files on the web, the HTTP protocol is used. There are two types of HTTP protocol:
1- Stateless HTTP
2- Stateful HTTP protocol
Stateless HTTP: has no record of previous interactions and each interaction request has to be handled based entirely on the information comes with it.
Example: If we enter http://www.abc.com/sam.html into our web browser’s address bar and press Enter, then conversation between the browser and the abc.com web server goes like this: Web browser will simply query to abc.com web server for the page sample.html
Once the browser receives the last byte of information using HTTP, the abc.com web server essentially forgets about the request data. If now, we send some other request to the web server, it will execute upon the request, without memory of the earlier request. It does not need to remember the earlier request for the response of the new request.
Stateful HTTP: do keep some history of previous web browser and web server interactions and this protocol is used by cookies to maintain the user interactions.
Example: Whenever user visits the site or page that is using cookie, small code inside that HTML page writes a text file on users machine called cookie. When user visits the same page or domain later time this cookie is read from disk and used to identify the second visit of the same user on that domain. Expiration time is set while writing the cookie. This time is decided by the application that is going to use the cookie.
System who used Cookie:
Online Ordering Systems
Death of a Cookie: When a web server sets a cookie into the system, it was optionally give it a “death” expiration date. When the date reaches, then the cookie gets deleted from the system.
If the web server does not give an expiration date to a cookie, then the cookie is a per-session cookie. Per-session cookies are deleted as soon as you close the current session of the browser. So, if the cookie is not having any death date, then as soon as the browser is closed, the cookie is no longer into your system.
Selectively rejecting cookies
What happens when some of the cookies are accepted and some are rejected? If there are 10 cookies in web application then randomly accept some cookies say accept 5 and reject 5 cookies.
we need to know the cookies the web site is saving and the information that is stored in the text files. Manually edit the cookie in notepad and change the parameters to some vague values. For eg, change the content of the cookie, change the name of the cookie, and then perform actions in the website. In some cases corrupted cookies allow to read the data inside it for any other domain. This should not happen in case of your web site cookies.
There are websites, where we have no option other than saving sensitive data in cookie. Here it needs to be tested that the data stored in cookie is also getting stored in encrypted format.
Deletion of cookies
Access a website and allow it to write cookie. Now close all the browsers and manually delete the cookies. Again open the same website and try to work on it.
Multi Browser testing
This is an important case to check if web application page is writing the cookies properly on different browsers and also the web site works properly using these stored cookies.