The concept of cookies, cache and browser session

Cookies, cache and browser sessions are concepts every tester faces working with web applications. As a result, a lot of questions appear related to them. In order to understand the general idea of cookies, cache and browser sessions, it is necessary to define their terminology, scope of use, and learn how to use these data, depending on the chosen browser.

Cache

It's no secret that the website must load fast for quality work on the Internet. Every extra second for a web page to load can be crucial and make the user leave the website without waiting for its full loading. Of course, it is unacceptable, and the primary goal of web specialists is to prevent it. 

The problem is that the web server transfers a large amount of data to the client (browser) whenever the page is updated. Accordingly, it does not contribute to the fast work of the site. Browser cache must resolve this problem and optimize the web application work.

In other words, the internet connection is slower than the work of your PC. Due to data cashing, a browser keeps the part of information locally on the user's computer. Therefore there is no need to download the same information repeatedly as the needed data are uploaded from the PC's memory without using the Internet. In this way, a page is loaded much faster. 

What is usually stored in cache memory? Generally, web pages of one site share a common design. So there are elements that are repeated on different pages, for example, the site logo. The logo can be locally saved in the cache and uploaded from the user's hard drive to avoid transferring data during every new page loading. Other than images, there is also caching of sound, video, text, etc.

Browser cache has a size limit. This value can be configured. When the cache size reaches its limit, the parts that have not been used the longest are deleted and clear space for new elements.

Cookies

Cookies are a certain amount of data created by a web server after a user visits a web page and stored on the user's computer in a separate text file.

Usually, cookies include credentials, personal, settings and preferences information chosen during the work with a web page, and other service information.

If a browser supports cookies, then this amount of data are transferred from client to server in every request. Why does the site need this information? It is usually used for:

• user authentication (otherwise, you would have to fill in login and password in every request);
• personalisation – using parameters chosen by users in the following requests, for instance, site language or products in the cart;
• gathering and analyzing statistics;
• tracing session (the concept of session we will consider in detail later).

In a technical sense, cookies are small text files. The maximum size of such one file is 4096 bytes. What can be included in it:

• cookie's name;
• value – something that is transferred to a server and processed in request;
• domain, to which the cookie belongs to and which can receive it;
• URL within the specified domain and for which a certain cookie will be valid;
• lifetime. Cookies can be stored in a limited amount of time set for every specific cookie. It can be exact time, date, or session value, in case of cookies exist until the end of the current session;
• HTTP. It is assigned if cookies are used only by HTTP;
• security. This parameter means that the cookie will be transferred only with the help of HTTPS;
• size of cookie file in bytes.

Session

The web server's peculiarity remains in the inability to identify whether requests are coming from the same browser or different ones because the HTTP protocol does not allow tracking these states and maintaining continuous communication with a client. So every new request is processed separately without any connection to the previous one. Browser session helps to deal with this problem. It is a mechanism that allows tracking requests from one browser and saving some changes while browsing website pages.

Wіth the start of the session, the file is created on the server-side. It has information about the user, their actions, and events during one session. For example, it can be browsing website pages, different interactions of the user with the page elements, making transactions, etc.

The new session cannot be started until the previous one is active. The old session will end on one condition (depending on the settings):

• after ending the certain period of inactivity time (timeout)
• at a particular time of the day, for example, midnight;
• after closing the browser.

Now, when the cash, cookie, browser session concepts and the difference between them are considered, it is time to learn how to use them. As a rule, it is enough for a user to know how to clean the browser cash, turn on/turn off/delete/change cookies, and know how to find these files on the PC.

Let us start with cache. First, it is important to consider in which browser the user works. You should not forget that different browsers save the cache of the same web application in the other folders of the following directory: C:\Users\Admin\AppData\Local\. If you cannot find this system folder on your PC, it is necessary to turn the display of the hidden files on. Every browser creates in this directory its own folder, where it saves the cache files. The popular browsers will be examined below:

• Google Chrome

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Cache

• Internet Explorer

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\

• Mozilla Firefox

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zxcvb5678.default\cache2\entries

• Opera

C:\Users\Admin\AppData\Local\Opera Software\Opera Stable\Cache

• Safari

~/Library/Caches/com.apple.Safari/

Clear cache, cookies and all data about the website are possible directly in the browser. So let us look at the popular browsers and find out how to clear the cache in them:

• Google Chrome

Settings – Privacy & Security – Clear History – Browser History – Delete Data

• Internet Explorer

Settings – Security – Delete browser log – Select temporary files and cookies – Delete

• Mozilla Firefox

Settings – Privacy and security – Cookies and website data – Delete data – Delete

• Opera

Settings – Advanced – Privacy and Security

  – Clear visit history – Delete data

• Safari

Development – Clear caches (developer menu must be enabled in application settings)

To avoid getting lost in your browser settings, one can use hotkeys: Ctrl + Shift + Del  for most browsers and (Option) + ⌘ (Command) + E for Safari on Mac ОS.

Follow these steps to find cookies in Chrome:

Browser menu (three dots in the upper right corner) – Settings – Advanced – Site settings – Cookies

 Thus the control menu of cookie files will be opened. What parameters can be set:

• turn on/off cookie saving with the slider help;
• setting the deletion of cookies after closing the browser;
• blocking cookies;
• turn the above-mentioned options on for the certain websites (The list is set manually);
• looking at the full list of the saved cookies files, search for the necessary cookie in the list;
• deleting all cookies for all or some websites;
• looking at all information stored in every separate file.

In Internet Explorer 11 these options are available this way: Browser Menu – Browser Options – the «Privacy» tab – Websites/Advanced. This Menu makes it possible to work with cookie files for specific websites. However, it is required to use developer mode (by clicking F12) to look at the values of saved parameters of the cookies for a certain website. There is a request list on the «Network» tab and information about them in the  «Cookie files» in the right window.

Applications are often developed quite dynamically. Сhanges can be applied to the site several times a day. Therefore, the tester should remember that it is necessary to clear the cache before starting testing a website. If you forget about this simple procedure, the page might be downloaded from the cache, and as a result, the changes will not be seen. The experienced tester always sticks to this rule.

The session mechanism is designed to identify the browser and process requests in one session by using the changes from the previous requests. All the information about sessions is usually saved on the server and is not available on the client side. If a tester knows when the session should end and how the website should behave in case of its completion, he can design some test cases for checking it.

Example №1

On the banking services site, there is a 10 minutes inactivity time limit. After this, the session is forced to end and the user sees the corresponding message. In this case, the tester can check whether the message is displayed in 10 minutes of inactivity, the user has access to information from the closed session, or there is redirection to the main page, and the previous session is updated after the pop-up window closure. Session testing can also be performed during safety testing.

Example №2

The design change is planned on the site. It has been decided to conduct a study to choose an option the users will like the most. As a result, after opening the site, the user sees one of the two design options. The user's behavior, his time on the site, and other indicators are analyzed, and then the decision about the final design choice is made. It is expected that until the user closes the browser, all the website pages that he will see will be designed the same way – according to one of the two design options. At this point, the tester must check that the appearance of the site is not changed during one session. The understanding of the session concept helps in A/B testing.

You can use the special extension to edit cookies for the Google Chrome browser called EditThisCookie. After installing an extension, the user can open the list of available cookies for this site when going to the page. The listed files can be deleted or edited in any way. Furthermore, there is a possibility of adding cookies, importing them in the JSON format, or exporting them.

Often for correct work of the website, it is required to enable cookies. In this case, the check options are the website work with enabled and disabled cookies. One more untrivial check is changing cookies manually using both valid and invalid data, purposely «breaking» cookies. Using tools to edit these values, a tester can check whether there is a possibility to obtain access to the other user's account by changing cookie files. 

Cookies consist of authorizing and other confidential information about the user. Using tools to edit these values, a tester can check whether there is a possibility to obtain access to the other user's account by changing cookie files. This type of testing is related to security testing.

You may use the browser developer tools to add or edit a cookie file. For these purposes, there is the document.cookie property. Then the "key = value" pair is written in the quotation. For example, the following row document.cookie = "ABC = DEF".

will create the cookie with the ABC name and the DEF value. Therefore, it is possible to change all existing cookies by writing the command with the necessary values.

It is worth adding some more properties inside the quotation for correct work by dividing them with a semicolon, for example:

• domain (document.cookie="ABC=DEF; domain=test.com" –  this row will add a cookie with the ABC name, the DEF value and real numbers only for the test.com domain);
• expires (document.cookie="ABC=DEF; domain=test.com; expires=Thu Jul 09 2020 14:26:51" – now the cookie lifetime is set as well – until 09.07.2020 14:26:51);
• secure (document.cookie="ABC=DEF; domain=test.com; expires=Thu Jul 09 2020 14:26:51; secure;" – thanks to this property, the cookie is protected and valid only during http connection);
• path (document.cookie="ABC=DEF; domain=test.com; expires=Thu Jul 09 2020 14:26:51; secure; path=/;" –  the path in the cookie will be displayed as «/», so the value will be sent for any request, but if the path is limited to a defined set of documents, the cookie file will be sent only for one of them).

And finally, the most important part is how to apply this knowledge in practice. On real projects, using cookies really makes the tester's life easier. So now, let us consider the situation where cookie editing is used.

Example

There is a pop-up on the site that should appear once a week. The site creates a cookie file for the user with the "showPopup": false value, whose lifetime is a week (as well as an interval of the repeatable display of the pop-up). After the end of this period, the reminder for the user will be shown again.

The tester's task is to ensure the user will see the pop-up at the fixed time. How to test this? Of course, you can wait seven days to check it, but spending so much time on this test is not reasonable. Here one can cheat a little and manually change cookies. For example, edit the «expires» key value and set the cookie duration to 1 minute. The cookie will be irrelevant in a minute, and the user must see the message again.

At first sight, cookie, cache and browser sessions can seem confusing or difficult to understand. However, you can make sure that there is nothing complicated if you apply gained knowledge in practice and understand the definition.