Search

How to Capture an HttpOnly Cookie

Overview

HttpOnly cookies are a security measure designed to prevent access from client-side scripts, such as JavaScript. This means you cannot capture their values using standard methods like document.cookie. While these cookies are visible in browser developer tools, they are programmatically inaccessible from the browser's document context to mitigate cross-site scripting (XSS) attacks.

How It Works

Although HttpOnly cookies cannot be read directly, they are sent by the browser in the headers of network requests. You can capture the value of an HttpOnly cookie by intercepting a network call and extracting the cookie from its request headers using the fze.resource API.

  1. Identify a stable network request: Use your browser's developer tools to find a consistent network request that includes the target cookie in its Cookie request header.
  2. Store the full Cookie header: In a custom code step, use the fze.resource API to access the request headers of the identified network call. Store the entire Cookie header string in a local variable. You must replace the URL with the actual resource from your application.fze.local.fullCookieHeader = fze.resource['https://yourapp.com/stable/resource'].requestHeaders['Cookie'];
  3. Extract the specific cookie value: Add another custom code step to parse the stored cookie string and extract the value of the specific cookie you need. The following example extracts a cookie named 'SESSION_ID'.const cookieString = fze.local.fullCookieHeader;
    const cookieName = 'SESSION_ID'; // Replace with your cookie name
    const cookieRegex = new RegExp('(?:^|;\s*)' + cookieName + '=([^;]*)');
    const cookieMatch = cookieString.match(cookieRegex);

    fze.local.myCookieValue = cookieMatch ? decodeURIComponent(cookieMatch[1]) : null;
  4. Use the extracted value: The extracted cookie value is now stored in the fze.local.myCookieValue variable and can be used in subsequent steps of your test.

Limitations

This method relies on identifying a network request with a stable URL. If the resource URL is dynamic and changes with each test run (for example, by including a build hash or session ID), the step to capture the header will fail. It is crucial to select a network resource that has a consistent and predictable URL across test executions for this approach to be reliable.