Skip to content
Postman API Testing Tips

How To Test Cookies Using Postman

API Testing Blog

Testing Cookies with Postman: A Comprehensive Guide

Cookies are an integral part of web applications, storing valuable user information and session data. Testing how your API manages cookies is crucial to ensure functionality and security. This guide will explore various techniques for testing cookies with Postman.

1. Sending Cookies with Requests

Postman allows you to set cookies directly in your requests, providing control over the data sent to your server.

1.1. Setting Cookies in the Headers Tab

  1. Create a new request: Open a new Postman tab and select your desired HTTP method (e.g., GET, POST).
  2. Navigate to the “Headers” tab: Click on the “Headers” tab within your request.
  3. Add a “Cookie” header: Click “Add Key” and enter “Cookie” as the key.
  4. Enter cookie data: In the value field, enter your cookies in the format key1=value1; key2=value2.
  5. Send the request: Click “Send” to execute your request with the specified cookies.

Example:

Cookie: sessionID=1234567890; user=johndoe

1.2. Using the “Cookies” Tab for Multiple Cookies

  1. Find the “Cookies” tab: Within your request, find the “Cookies” tab, which appears below the “Headers” tab.
  2. Add cookies in table format: Add each cookie as a new row in the table, specifying the “Name” and “Value”.
  3. Send the request: Once your cookies are set, send your API request as usual.

2. Receiving and Inspecting Cookies

After sending a request, you can inspect the cookies returned by your server in Postman’s response.

2.1. View Cookies in the “Response” Tab

  1. Send your request: Execute your API request as normal, sending any necessary cookies.
  2. Inspect the “Response” tab: After the request completes, switch to the “Response” tab.
  3. Browse the response headers: Click on “Headers” to view the response headers.
  4. Locate the “Set-Cookie” header: Find and expand the “Set-Cookie” header to reveal the cookies returned by your server.

2.2. Accessing Cookies with JavaScript (Postman Console)

Postman’s console allows you to interact with the response using JavaScript, including accessing and manipulating returned cookies:

  1. Send your request: Execute your API request.
  2. Open the “Console” tab: In Postman, click the “Console” tab.
  3. Retrieve cookies using pm.response.cookies: Use JavaScript code to access the pm.response.cookies object. This object contains an array of cookie objects, each with properties like “name”, “value”, “domain”, and “path”.

Example JavaScript code in Postman console:

// Access cookies from response
const cookies = pm.response.cookies;
console.log(cookies);


// Interact with specific cookie
const sessionCookie = cookies.find(cookie => cookie.name === 'sessionID');
console.log(sessionCookie.value);

Now that you can send and receive cookies, let’s test various cookie-related scenarios.

3.1. Creating and Retrieving Session Cookies

  1. Send a request to initiate a session (e.g., login): This request should trigger the server to generate a session cookie.
  2. Inspect the “Set-Cookie” header: Verify that your server returned a session cookie with a unique identifier.
  3. Send subsequent requests with the session cookie: Include the session cookie in the “Cookie” header of all future requests that require authentication.
  4. Validate responses: Ensure that these requests are successful, signifying that the session cookie is being recognized.
  1. Set a specific expiration date for a cookie: This may require manipulating the server-side code that generates cookies.
  2. Send a request after the expiration date: Execute a request to your API using the expired cookie.
  3. Validate the response: The server should either reject the request, indicating cookie expiry, or generate a new session.
  1. Create cookies with different “path” and “domain” values: Configure your server to produce cookies with varying path and domain attributes.
  2. Send requests from different URLs and domains: Attempt to access your API from URLs that match and don’t match the cookie’s path and domain.
  3. Verify cookie accessibility: The server should only allow access to cookies from URLs that align with the specified path and domain.

4. Additional Tips for Testing

  • Automate your tests: Use Postman collections to streamline the creation, execution, and verification of your tests for efficiency.
  • Utilize assertions: Leverage Postman’s assertion capabilities to ensure that responses meet your expected conditions.
  • Integrate with CI/CD: Connect your Postman tests to your CI/CD pipeline for continuous cookie-related test execution.

By applying these techniques and utilizing Postman’s tools, you can thoroughly test your API’s cookie management and ensure a robust and secure web application.

API Testing Blog