Is there any way to delete an HttpOnly cookie from C# Selenium tests?

Question

I have a set of C# Selenium tests that need to delete a cookie that has the HttpOnly flag set.

Unfortunately the DefaultSelenium.GetCookie() and DefaultSelenium.DeleteCookie() commands aren't able to access the cookie, because it has that HttpOnly flag set. I've confirmed this by removing the flag by hand, and checking that subsequent calls to either of those methods are then happily able to manipulate the cookie in question.

Is there any other way to do this via the Selenium .NET client driver?

All ideas welcome!

Answer 1

Since I was unable to do this via the client driver, I had to find an alternative method. Fortunately, the web app under test has a selection of test pages that allow interaction with the session cookie (being the HttpOnly cookie I was trying to access) and so I was able to achieve my goal by automating those pages instead.

For anybody else that encounters this issue, there's a good SO answer here about how HttpOnly is burned into ASP.NET.

Additionally, this SO answer points out how HttpOnly can be manipulated via the app's web.config, with the caveat that it can only be turned on, not off.

Anybody willing to alter their application for testing purposes should check out this workaround, basically altering the Session_Start method in Global.asax to strip out the HttpOnly flag so that is accessible to client script. This kind of workaround should only be used in a test environment however, as it opens the security hole that HttpOnly was introduced to close - namely a XSS vulnerability. Jeff Atwood wrote a good blog post about it here.