How cookies work?

Posted on Updated on

How cookies work?

To exchange information files on the web, the HTTP protocol is used. There are two types of HTTP protocol:
1- Stateless HTTP
2- Stateful HTTP protocol

Stateless HTTP: has no record of previous interactions and each interaction request has to be handled based entirely on the information comes with it.

Example: If we enter into our web browser’s address bar and press Enter, then conversation between the browser and the web server goes like this: Web browser will simply query to web server for the page sample.html

Once the browser receives the last byte of information using HTTP, the web server essentially forgets about the request data. If now, we send some other request to the web server, it will execute upon the request, without memory of the earlier request. It does not need to remember the earlier request for the response of the new request.

Stateful HTTP: do keep some history of previous web browser and web server interactions and this protocol is used by cookies to maintain the user interactions.

Example: Whenever user visits the site or page that is using cookie, small code inside that HTML page writes a text file on users machine called cookie. When user visits the same page or domain later time this cookie is read from disk and used to identify the second visit of the same user on that domain. Expiration time is set while writing the cookie. This time is decided by the application that is going to use the cookie.

System who used Cookie:
Online Ordering Systems
Website Tracking

Death of a Cookie: When a web server sets a cookie into the system, it was optionally give it a “death” expiration date. When the date reaches, then the cookie gets deleted from the system.

If the web server does not give an expiration date to a cookie, then the cookie is a per-session cookie. Per-session cookies are deleted as soon as you close the current session of the browser. So, if the cookie is not having any death date, then as soon as the browser is closed, the cookie is no longer into your system.

Cookie Testing: Now when we know the basics of cookie world, let’s address how to test sites that use cookies.

Disabling Cookies
This is probably the easiest way of cookie testing. What happens when all cookies are disabled?. Close all browsers delete all cookies from PC. now, open the website which uses cookies for actions. Now, perform the major functions in the website. Most of the time, these will not work because cookies are disabled. This isn’t a bug: disabling cookies on a site that requires cookies, disables the site’s functionality.

Selectively rejecting cookies
What happens when some of the cookies are accepted and some are rejected? If there are 10 cookies in web application then randomly accept some cookies say accept 5 and reject 5 cookies.

Corrupting cookies
we need to know the cookies the web site is saving and the information that is stored in the text files. Manually edit the cookie in notepad and change the parameters to some vague values. For eg, change the content of the cookie, change the name of the cookie, and then perform actions in the website. In some cases corrupted cookies allow to read the data inside it for any other domain. This should not happen in case of your web site cookies.

Cookie Encryption
There are websites, where we have no option other than saving sensitive data in cookie. Here it needs to be tested that the data stored in cookie is also getting stored in encrypted format.

Deletion of cookies
Access a website and allow it to write cookie. Now close all the browsers and manually delete the cookies. Again open the same website and try to work on it.

Multi Browser testing
This is an important case to check if web application page is writing the cookies properly on different browsers and also the web site works properly using these stored cookies.