A Three-Tiered Testing Strategy for Cookies

Cookies, the HTTP state management mechanism, are the backbone of many web applications. Despite a high adoption rate, cookies have remained virtually unexplored by the academic community. This paper presents an EBNF grammatical definition and a three- tiered testing strategy for cookies. The testing strategy builds upon anti-random and grammar-based methodologies examining cookies from three perspectives: cookies collections, individual cookie transformations and application-specific test-case generation. The collection of cookies maintained within a user-agent are explored in light of the anti-random test- suite reduction techniques and the grammatical definition of a cookie, culminating in the definition of a number of seeding test-vectors providing the basis for a scalable test-suite. A number of distinct grammatically correct cookie transformations are presented, providing further scalability to the proposed testing strategy. Finally a discussion of application-specific cookie transformations is presented, with focus upon the security and reliability concerns of modern web applications.