30 Days of Ecommerce Testing Day 18: 'C' is for cookies

Day 18: “What are cookies and how are they commonly used on an e-commerce website?”

Reference: Website Cookie Testing & Test Cases for Testing Web Application Cookies

This is a pretty good article, so I can’t do better than quote and summarize:

Basically cookies are locally cached files that store user identity and other information.

I knew that.

I didn’t know about the two types of cookies, or at least I never really thought about it.

#1) Session cookies:

This cookie is active till the browser that invoked the cookie is open. When we close the browser this session cookie gets deleted. Some time session of say 20 minutes can be set to expire the cookie.

#2) Persistent cookies:

These are cookies that are written permanently on the user machine and lasts for months or years.

There are a few applications listed, but we are interested in ecommerce:

To implement shopping cart:

Cookies are used for maintaining online ordering system. Cookies remember what user wants to buy. What if the user adds some products to their shopping cart and if due to some reason the user doesn’t want to buy those products this time and closes the browser window?

In the above instance when next time the same user visits the purchase page he can see all the products he added to the shopping cart during his last visit.

There are lots of test cases in the article. Here are a few of my favorites:

Disable cookies and see how the site works. We need to make sure the site delivers the appropriate message, informing the user that cookies are required.

Partially accept cookies i.e. if your site writes 10 cookies, accept only 5 by using “manually accept” settings in your browser. See if this causes pages to crash or data to become corrupted.

Corrupt cookies - manually edit the cookie files in order to corrupt them, and see what effect this has on the site.

Validate Expiration dates - make sure cookies expire when they are supposed to

Validate persistence - Check cookie types and make sure they are persistent if required.

-Dave K

(Note: Thanks to the testers slack people for assuring me that the sesame street reference is not lost on our international audience).


Twitter thing again:

I did not know this about Universal Tracking IDs!

1 Like

Cookies are small (up to 4 KB as specified by the IETF) text files used to hold state information for the stateless HTTP(S) protocol over which the browser communicated with the server. Examples of such information are the session ID created when the user logs in or the referrer (the page from which the user clicked the link to the current page).


There are two kinds of cookies:

  • session cookies (no expiry date, should be deleted when the user closes the browser)
  • permanent/tracking cookies (with an explicitly set expiry date, kept between browser sessions)

There are also two other ways for the browser to hold state information which allow storing up to 5 MB of data and are worth knowing about:

  • session storage (for the lifetime of a tab)
  • local storage (kept indefinitely or until it is manually deleted)

When a page can be opened and interacted with in multiple windows and tabs at the same time, using cookies and other session storage solutions (including custom ones built on top of session and local storage) can be tricky, but also an interesting area to test.
For example, I had a product under test that was displaying paged news feeds on multiple topics. When I opened two different topics in separate browser tabs and wanted to load the second page of results in tab 1, news for topic 2 were displayed instead. There were also a lot more such crossover effects and many a buq quashing session around it.


Three top areas of cookie usage are:

  • session management (e.g. logins, shopping cart contents of a guest visitor, items to compare, but also score in an online game, or, in the excellent TestBuddy, starting time of the exploratory testing session)
  • personalization (e.g. selected visual theme)
  • tracking (e.g. referrers, tracking IDs for advertising)

Tracking can include the use of so called third-party cookies, where a Web site which collects user information (e.g. Facebook) sets a cookie when the user visits it and then embedded scripts on other Web sites (for example around the “Like” button embedded everywhere) interact with the cookie. Note that you don’t even need an account with the tracking site for this to happen, they can just give you a “guest ID” and still keep tabs on what you’re up to online if you visited them even once.


Privacy - especially with tracking cookies.
Browsers now offer blocking third-party cookies so that if a cookie was set in a different domain than the one currently visited, it cannot be accessed. Privacy-conscious users may have these cookies disabled (along with a number of other tracker types).

Cookies are not designed as a secure mechanism and are vulnerable to a number of attacks where a user session can be hijacked by a malicious party.

More information
Mozilla Developer Network web docs
AllAboutCookies.org has a nice write-up of well, all things cookies, both technical and regulatory


I did a bit of security testing wherein I checked the contents of cookies before login and after login- they are supposed to have some different numbers.

1 Like

A bit late from day 18 but still on the road:
"What are cookies and how are they commonly used on an e-commerce website?

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing.

Definition from Wikipedia.

  • Session Cookie: is a cookie that exists only temporary while the users navigate in the website. After the user closes the browser, the cookie will be deleted.
  • Persistent Cookie: unlike the Session cookie, it has an expiration date and it does not expires after the user leaves the page or closes the browser.
  • Secure cookie: A type of cookies that can only be transmitted via an encrypted connection HTTPS
  • Http-only cookies cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (XSRF) attacks.
  • Third-party cookies: is a cookie which is not provided by the main site but for a “third” site.

Session Management: it stores the items saved in a cart as the users navigates through the website. But it has other usages like the login website.

Personalization: It helps the website to store important information, like the username used in the previous session, to improve the user experience.

Tracking: basically it tracks the user habit. This is the most commonly usage of the cookie as the companies uses this for his own purposes.

Most of the definition were extracted from the wikipedia. It was an interesting lecture and everything was clear.

1 Like

More twitters! This reminded me of my t-shirt with the cookie monster on it :cookie:

My day 18 :slight_smile: https://wp.me/p9EXXo-5q

1 Like

There are so many post about definition of cookies, I have the same ideas, I listed out some kinds of cookies below:

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user’s browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.

Secure cookie
A secure cookie can only be transmitted over an encrypted connection (i.e. HTTPS). They cannot be transmitted over unencrypted connections (i.e. HTTP). This makes the cookie less likely to be exposed to cookie theft via eavesdropping. A cookie is made secure by adding the Secure flag to the cookie.

Http-only cookie
An http-only cookie cannot be accessed by client-side APIs, such as JavaScript. This restriction eliminates the threat of cookie theft via cross-site scripting (XSS). However, the cookie remains vulnerable to cross-site tracing (XST) and cross-site request forgery (XSRF) attacks. A cookie is given this characteristic by adding the HttpOnly flag to the cookie.

Same-site cookie
In 2016 Google Chrome version 51 introduced[20] a new kind of cookie, the same-site cookie, which can only be sent in requests originating from the same origin as the target domain. This restriction mitigates attacks such as cross-site request forgery (XSRF).[21] A cookie is given this characteristic by setting the SameSite flag to Strict or Lax.[22]

Third-party cookie
Normally, a cookie’s domain attribute will match the domain that is shown in the web browser’s address bar. This is called a first-party cookie. A third-party cookie, however, belongs to a domain different from the one shown in the address bar. This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. This opens up the potential for tracking the user’s browsing history and is often used by advertisers in an effort to serve relevant advertisements to each user.

Most modern web browsers contain privacy settings that can block third-party cookies.

A supercookie is a cookie with an origin of a top-level domain (such as .com) or a public suffix (such as .co.uk). Ordinary cookies, by contrast, have an origin of a specific domain name, such as example.com.

Supercookies can be a potential security concern and are therefore often blocked by web browsers. If unblocked by the browser, an attacker in control of a malicious website could set a supercookie and potentially disrupt or impersonate legitimate user requests to another website that shares the same top-level domain or public suffix as the malicious website. For example, a supercookie with an origin of .com, could maliciously affect a request made to example.com, even if the cookie did not originate from example.com. This can be used to fake logins or change user information.

Other uses
The term “supercookie” is sometimes used for tracking technologies that do not rely on HTTP cookies. Two such “supercookie” mechanisms were found on Microsoft websites in August 2011: cookie syncing that respawned MUID (machine unique identifier) cookies, and ETag cookies.[26] Due to media attention, Microsoft later disabled this code.[27]

Zombie cookie
Main articles: Zombie cookie and Evercookie
A zombie cookie is a cookie that is automatically recreated after being deleted. This is accomplished by storing the cookie’s content in multiple locations, such as Flash Local shared object, HTML5 Web storage, and other client-side and even server-side locations. When the cookie’s absence is detected, the cookie is recreated using the data stored in these locations.

1 Like