One of the most common things to have to test is sessions, cookies, and login/logout. This is the start of a pattern for that kind of testing.
First, some background:
- OWASP has a great cookie/session state document: http://www.owasp.org/index.php/Testing_for_Cookie_and_Session_Token_Manipulation
- Wikipedia HTTP cookie: http://en.wikipedia.org/wiki/HTTP_cookie An excellent treatise on the origin of cookies, with a synopsis of cookie attacks.
- How to view cookies in IE 7 http://kb.iu.edu/data/ajfh.html
- Session hijacking: create several cookies for your site (varying login sessions). Tests: 1) can you substitute the session id from one session and use it in another session. 2) what happens with invalid session IDs? 3) Prevention: specify that cookies must be https-based (specify the secure flag when creating the cookie.
- Cookie poisoning: change values in a cookie - for instance, if a cookie stores the check-out value in a shopping cart, the user could change that value before checking out.
- Back button: do something that adds/modifies a cookie, then click 'back'. The state could then be out of sync (being on a page which expects you to NOT have a value in your cookie which you actually do have).
- Expiration: cookies w/o expirations are considered 'not persistent' and should be destroyed at the end of the session. Persistent cookies represent a security risk due to how long they are persistent; make sure the expiration of a cookie is reasonable (30 min?) based on typical user scenarios.
- Log in, thereby picking up a sessionID. Make note of the sessionid. Close the browser, and then log in as someone else. Finally, update the cookie to be the id you noted previously, and hit refresh. Does the session change?