HttpOnly broke my Selenium tests

January 24, 2007


On my current project (running .NET 2.0), I have been using Selenium to test various security related aspects of the application. (Could Selenium be used for security testing?, Selenium with support for cookie-management) I have been happily using Firefox for running my tests, but today I tried to run the tests in Internet Explorer 7. Without success.

The thing is that I have been using Selenium to verify login related functionality, so for instance a test could be something like these:

  • Test that a user can successfully log in by providing correct username and password
  • Test that a user’s cookie session is ended when logging out

In order to successfully run these tests, I had to manipulate cookies in my tests:

  • To prevent tests from interfering with each other, I had to remove any session cookies in between tests
  • Test for existence of session cookies

When running my tests in Firefox, this worked well. I could perform operations on the .ASPXAUTH cookie, which is the cookie that .NET uses to identify an authenticated session. When running IE 7 it breaks. The reason for this, is that Microsoft has created a new attribute on cookies called ‘HttpOnly’ that .NET uses, and the Set-cookie HTTP header looks for instance like this:

Set-Cookie: .ASPXAUTH=bisxfb45rbiclmjmqu4aa345893763387328743238736; path=/; HttpOnly

IE 6 SP1 (and apparently also IE 7) makes such cookies inaccessible by JavaScript, as explained here: Mitigating Cross-site Scripting With HTTP-only Cookies.
Hence, my Selenium tests were unable to test for and to manipulate these cookies.

I have a mixed feeling about this. Everything that helps security makes me happy. However, everything that makes my application hard to test is baaaaaad. And I mean really bad. I think that the technical solution that Microsoft has come up with here is good – it really makes sense. Why should JavaScript be able to manipulate session cookies like these anyway? I cannot think of any good use case for that. However, this is proprietary stuff that Microsoft has come up with and is not an agreed standard. Makes my life as a developer harder. Not good.

Profile picture

Written by Vidar Kongsli who is a software professional living in Oslo, Norway. Works as a consultant, system architect and developer at Bredvid. You should follow him on Twitter