Cookies

What Are Cookies?

Cookies are small pieces of data that websites store in a user’s browser. They serve as a mechanism for web servers to persist information across requests, enabling a range of functionality that would be impossible with stateless HTTP alone.

Websites use cookies to:

Track users - Monitor visitor behavior, page visits, and interactions for analytics and user profiling.

Store authentication tokens - Maintain login sessions without forcing users to re-enter credentials on every request.

Persist user preferences - Remember choices like language, theme, display settings, or accessibility options.

Store shopping cart data - In e-commerce, cookies can hold cart contents temporarily until checkout.

Enable personalization - Tailor content based on previously stored user preferences.

A useful visual reference on cookies in web development can be found in this Twitter discussion.

Historical Context: When Cookies Were Introduced

Cookies have been part of web technology since its early days. Netscape introduced cookies as a mechanism to store user session data, addressing the fundamental problem that HTTP is a stateless protocol. Without cookies (or other mechanisms like URL parameters or server sessions), there was no way to maintain state across multiple requests from the same user.

The technical specification for cookies evolved over time, eventually being formalized in standards like the HTTP State Management Mechanism (documented at Wikipedia).

Setting Cookies Across Domains

Working with cookies across multiple domains introduces complexity. Setting cookies that work in subdomains requires understanding the Domain attribute in the Set-Cookie header.

A common confusion point is whether a leading dot is required (e.g., .example.com vs example.com). According to RFC 6265 and MDN documentation, a leading dot is not required. Modern browsers handle domain matching consistently without it.

Testing Cookies Across Domains

Testing cookies across domains is challenging in practice. One significant complication is that you often cannot set cookies for a domain you don’t control during testing. A practical solution is to test cross-domain cookie behavior within your own subdomains during development.

It’s also important to be aware of CORS (Cross-Origin Resource Sharing) implications when working with cookies. Cookies require explicit credentials: 'include' or withCredentials: true in cross-origin requests to be sent, as discussed in this StackOverflow thread.

Types of Cookies

Cookies fall into two main categories based on their lifetime:

Session cookies - These cookies exist only while the browser is open. Once the user closes the browser, the session cookie is deleted. They’re useful for temporary data like shopping carts or one-time tokens.

Persistent cookies - These cookies are stored on the user’s machine until they expire (based on a set expiration date) or are manually deleted. They survive browser restarts and are useful for user preferences or long-term tracking.

Real-World Cookie Usage

Cookies appear in many practical scenarios:

Shopping carts - E-commerce sites store cart contents in cookies (or combine cookies with server sessions) to remember what users have selected.

Personalized sites - News sites, social media, and content platforms use cookies to remember user preferences and customize the experience.

User tracking - This is perhaps the most common usage. Analytics platforms and advertisers use cookies to track users across sites and build behavioral profiles. This usage is increasingly regulated and restricted due to privacy concerns.

User sessions - Authentication systems use cookies to maintain login state, avoiding the need to send credentials with every request.

Drawbacks and Security Concerns

Despite their utility, cookies come with significant limitations and security considerations:

Cookie disabling - Users can disable cookies entirely in their browser settings. With growing privacy awareness and browser changes (notably Safari and Firefox’s default third-party cookie blocking), cookie availability can no longer be assumed. Applications must gracefully degrade when cookies are unavailable.

Security vulnerabilities - Cookies can be exploited in several ways:

• XSS (Cross-Site Scripting) - If an attacker injects malicious JavaScript into a page, they can read cookies that lack the HttpOnly flag. Using HttpOnly on sensitive cookies (like session tokens) prevents this.

• CSRF (Cross-Site Request Forgery) - Browsers automatically include cookies in requests to a domain, even if the request originates from another site. This allows attackers to trick users into making unwanted requests (e.g., transferring money, changing passwords). Mitigating CSRF requires CSRF tokens or SameSite cookie restrictions.

Privacy concerns - Third-party cookies (used for cross-site tracking) have become controversial and are being phased out. Regulations like GDPR and CCPA impose requirements around cookie consent and data handling.

Testing Cookies Effectively

Testing cookies requires a comprehensive approach covering multiple scenarios. Software Testing Help provides detailed guidance on cookie testing strategies.

Key areas to test include:

Privacy controls - Verify that users can accept or reject cookies. Test that accepting some cookies while rejecting others works correctly. Ensure that user preferences are respected across sessions.

Disabling cookies - Test application behavior when cookies are disabled. Ensure critical functionality either works without cookies or fails gracefully with a clear message to users.

Cookie validity - Test handling of corrupted cookies, expired cookies, and manually deleted cookies. The application should not crash or expose errors when cookies are invalid.

Cookie deletion - Verify that logout functionality properly clears session cookies. Test that clearing browsing data removes cookies as expected.

Security attributes - Verify that sensitive cookies are marked with HttpOnly, Secure, and SameSite flags where appropriate.

Cross-domain behavior - If your application spans multiple domains, test that cookies are set and sent correctly across domain boundaries.