httpOnly and webdriver

[Andrew Watts-Curnow]

Can webdriver read and write the httpOnly flag on cookies?

[David Lai]

I'm stumped on this myself.  yesterday I found out there was a bug with clearing cookies in the Safari webdriver, and been searching for a workaround for clearing/invalidating oauth cookies.

[Mark Collin]

Selenium can only interact with cookies that can be seen in the
JavaScript console, in other words if you can see the cookie in the
JavaScript console when you do a

document.cookie

Selenium will also be able to see it.

You can still attempt to overwrite a server side cookie manually by
creating a cookie with the same name and path, an example would be the
following:

Cookie logout = new
Cookie("SPRING_SECURITY_REMEMBER_ME_COOKIE", "", "www.mydomain.com", new
LocalDate().minusYears(1).toDate())
driver.manage().addCookie(logout)

The above will work with Safari at the moment, however you mileage may
vary with other browsers. You shouldn't really be able to overwrite
server side cookies in this manner.

On 03/05/2013 09:04, David Lai wrote:
> I'm stumped on this myself. yesterday I found out there was a bug
> with clearing cookies in the Safari webdriver, and been searching for

> a workaround for clearing/invalidating oauth cookies. --
> You received this message because you are subscribed to the Google
> Groups "Selenium Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to selenium-user...@googlegroups.com.
> To post to this group, send email to seleniu...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/selenium-users/-/hKrUh8ebsgsJ.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Mark Collin]

Oh I ought to mention that the new LocalDate() part is using joda time

http://joda-time.sourceforge.net/

[David]

To add on to Mark's response, what I've done to workaround deleting cookies is that I go to a page where I know the cookie will be "visible" and then delete it there, perhaps followed by page refresh, then proceed with the rest of the test.

For example, if you want to login but you're already logged in, hit the my account page, delete session/login cookie there, refresh page, and the website/app should take you back to login page since the cookie no longer exists. And if you never had the cookie, my accounts page would redirect you to login page anyways. So you just need 1-3 lines of code & rework the test flow, like

instead of hit login page, always start from my accounts page

on hit the page, execute this sequence: check if login/session cookie exists, if exists, delete cookie followed by page refresh.

And by the way, no one has commented on the OPs original question on modifying a cookie's httpOnly attribute (e.g. convert to non-httpOnly or force regular cookie into an httpOnly cookie).

[Mark Collin]

An httpOnly cookie is what I am referring to as a server side cookie. 

 

It is a type of cookie that is only supposed to be able to be modified from the server side, and not the client side.  There are not visible in the JavaScript console if you do a:

 

document.cookie

 

that’s why I said it is possible to overwrite them on Safari at the moment, but it is something that you should not be able to do.

To view this discussion on the web visit https://groups.google.com/d/msg/selenium-users/-/EGu7mvStqUoJ.