On my current project (running .NET 2.0), I have been using Selenium to test various security related aspects of the application. (Could Selenium be used for security testing?, Selenium with support for cookie-management) I have been happily using Firefox for running my tests, but today I tried to run the tests in Internet Explorer 7. Without success.
The thing is that I have been using Selenium to verify login related functionality, so for instance a test could be something like these:
- Test that a user can successfully log in by providing correct username and password
- Test that a user’s cookie session is ended when logging out
In order to successfully run these tests, I had to manipulate cookies in my tests:
- To prevent tests from interfering with each other, I had to remove any session cookies in between tests
- Test for existence of session cookies
When running my tests in Firefox, this worked well. I could perform operations on the .ASPXAUTH cookie, which is the cookie that .NET uses to identify an authenticated session. When running IE 7 it breaks. The reason for this, is that Microsoft has created a new attribute on cookies called ‘HttpOnly’ that .NET uses, and the Set-cookie HTTP header looks for instance like this:
Set-Cookie: .ASPXAUTH=bisxfb45rbiclmjmqu4aa345893763387328743238736; path=/; HttpOnly
Hence, my Selenium tests were unable to test for and to manipulate these cookies.