Unable to send JMeter token value as cookie - cookies

0
I have issues running scripts that work fine on my laptop but not on Server VMs (Both Windows and Linux).
Some of the modules on the application I test communicates with the client through Cookies. bearer authentication token is expected to be sent with the request header as cookie when accessing these functionalities. These are mostly javascript events on the browser.
JMeter 5.3 on my laptop is successfully sending these cookie values with / in server name field to the application server and also get the successful HTML response. But on the Linux/Windows server, it gives illegal character error (rightly so).
I then decided to develop the scripts directly on Windows Server. When I remove and added / in the path instead of the host name, the cookie value (token) was not sent and the application server throws authentication error. If I add 2 forward slashes, it works for some endpoints it works with 3 forward slashes. ///. Some endpoints works with // and if you choose "Redirect Automatically" only. If you choose "Follow Redirects", the application again throws authentication error. The developers are blaming JMeter for incorrect request but are not giving me more information.
Also tried setting the CookieManager.save.cookies=true in jmeter.properties
Can someone please help with this weird JMeter behavior?
Thanks,
Partha

If you're talking about "Domain" field of the HTTP Cookie Manager:
then you can tell your developers that they should stop blaming JMeter for sending incorrect requests but they should rather read RFC 6265 followed by RFC 1034, once done they should quit their developer jobs and become rickshaws.
If you want to know more how does JMeter handle cookies the best way is enabling debug logging for the HTTP Cookie Manager by adding the next line to log4j2.xml file:
<Logger name="org.apache.jmeter.protocol.http.control" level="debug" />
and next time you start JMeter you will see way more information regarding cookies extraction and manipulation in the jmeter.log file.

Related

Connecting localhost to a remote dev server (CORS, same-site, secure and other headaches)

I'm currently working on a React project. The development server (Bottle/Python) for the project is hosted remotely, and my React dev-server is localhost. Part of the authentication process for the application involves setting a cookie on login, but because of same-site and secure rules that cookie is not being set, meaning that my dev frontend can't access any of the data that it needs.
Myself and the server engineer have added SameSite=None to the cookie as well as secure, but because my localhost is not https the cookie is still not being stored properly (I get the error message "this Set-Cookie" was blocked because it had the "Secure" attribute but was not received over a secure connection").
There are no issues when the app is deployed because everything is on the same domain, but for now we're stuck - we've been trying to solve the issue for several hours but can't seem to get it.
My question is - what is the best development practice if you need to access a non-local development server, but can't actually just have your own version of the server running on your local machine?
Do I:
Need to make my localhost https somehow?
Need to make the dev-server domain https?
Need to install the server locally because there's just no way to do this?
Apologies if this is a noob question, it would be great to have some advice.
Many thanks.
The short answer is:
No
Yes
No
You can run your app on http://localhost:port. Assuming response from your dev server has in response headers Set-Cookie of the cookie which has Secure flag, your dev server URL has to be https in order to have the cookie accepted by the browser.
I have this setup and it works just well.
Regarding CORS (as mentioned in the title of the question): you have to have you server configured to accept credentials and to have allowed origins configured. The client app when doing XHR request has to have withCredentials:true. Check the points 2 and 3 in my post for details.
Also note, that if you are using Chrome you can bypass for development purposes the requirement to have SameSite=None and Secure by disabling the flag "Cookies without SameSite must be secure", also detailed here

How to fix "Could not get any response" in Postman?

Postman for Linux
Version 6.7.1
Deepin x64
I'm trying to test a get method on postman to test my code, but I always get this error message.
Could not get any response.
There was an error connecting to localhost:3001/blocks.
Why this might have happened:
The server couldn't send a response:
Ensure that the backend is working properly
Self-signed SSL certificates are being blocked:
Fix this by turning off 'SSL certificate verification' in Settings > General
Proxy configured incorrectly
Ensure that proxy is configured correctly in Settings > Proxy
Request timeout:
Change request timeout in Settings > General
I've tried to do almost everything from this topic ("Could not get any response" response when using postman with subdomain) but nothing seems to work.
This is the on the message console.
Postman Console Message
Someone can help me to fix this?
In Postman go to Postman-> Preferences and in the settings tab turn off SSL certificate Verification
my project work try this:
Restart your web server local ex: wamp, postgree, oracle
in postman setting :
Trim keys and values in request body OFF
Use next generation URL processing ON
SSL certificate verification OFF
Always open request in web tab OFF
Send no cache header ON
Send postman token header ON
Retain headers when clicking on links OFF
Automatically follow redirects ON
Send anonymous usage data to postman OFF
It works for me:
Restart your web server like: PostgreSQL, Oracle
it will work

Securing LTPA Token in WebSphere Liberty Profile

We are using WebSphere Liberty Profile (17.0.0.4) to run our JAX-RS REST services. We are running our applications through Contrast, which is a scanning service. It is flagging our cookies as having the secure flag turned off. However, we are not using or touching any cookies in our code. The only cookie that is coming back in the response from our services is LtpaToken2, and sure enough, it has the secure flag set to false. How can I enable the secure flag for the LtpaToken2 cookie (hopefully via configuration and not having to read and rewrite it in our code)?
Adding <webAppSecurity ssoRequiresSSL="true"/> to the server.xml file should do it.

How can I get Fiddler to display information about a web service request made from my ASP.NET code behind?

I have an ASPX page. When the page is loaded there is code in the code behind that uses an API. The API makes an HTTPS call out to a third party, commercial web service. I am trying to troubleshoot why the API calls are not working properly. Apparently the API actually constructs an XML request that is sent out over HTTPS to the web service. I've been told by the support rep that I need to provide them with the XML that is being sent. The only way I can figure out how to get the XML is to use a tool like Fiddler to see what is being sent out. So how can I use Fiddler to see the contents of the XML request that is being sent from the server out to the web service? I am running everything directly on the server but all I am seeing is the GET request for the ASPX file itself. I am not seeing anything in relation to the HTTPS request that the server code is sending out to the web service. I have not used Fiddler much so I am hoping that maybe I just don't have it set up right to monitor that traffic.
Corey
After mucking around with it a bit I found this post: Why isn't fiddler capturing request when invoking XMLRPC from iis?. That seemed to do the trick! Basically it sounds like the default proxy settings in Win7 are on a per user basis. So I went in and changed the identity of the AppPool for my site to a local user (Administrator) and then it worked great. I started up Fiddler. Then I started up my ASP.NET app and then when I loaded the page I saw the request that went out to the web service from my code behind! Yay!

In FinalBuilder, how do I use the HTTP Get File action with Windows Authentication?

I have a FinalBuilder project where I deploy an ASP.Net website to a remote folder, configured as a website in IIS.
As part of my build script, I want to use the FinalBuilder action HTTP Get File to help determine whether my deployment was succesful.
I'm having difficulty, because the website is configured (under IIS 6) to use Integrated Windows Authentication, and anonymous access is not enabled.
Now the HTTP Get File action, has only a handful of properties, one of which is a security section, containing a UserName and Password. Great I thought! I can just put some valid credentials in there, which FinalBuilder will impersonate, whilst retrieving my file.
It turns out I was mistaken. I receive the following error:
Error retrieving url : Socket Error # 10061
Connection refused.
If I run the action without setting the Security Username and Password, I get the following error:
Error retrieving url : HTTP/1.1 401 Unauthorized Response Code : 401
Here are some facts to help with the context of my problem.
I'm running FinalBuilder 6 Professional, upon a Windows Server 2003 installation, and deploying my ASP.Net website to a remote IIS6 server within our corporate LAN.
If I configure IIS on the remote server to allow Anonymous access, I can run the HTTP Get File action without error. However, running this particular site with anon access is not acceptable in our situation.
Can anyone help suggest a workaround?
For a definitive answer, I think the Finalbuilder Forum is probably your best bet.
My guess, though, is that the HTTP library used by FB doesn't support Windows authentication, and is failing because no common authentication method can be negotiated. Since HTTPS isn't supported either by the 'HTTP Get File action', the possible workaround of allowing basic authentication on your site isn't a good idea, as you would be passing credentials over the network in plain text.
The only remaining workaround I can think of (other than waiting for a future FB release), is creating your own FB action to retrieve the file. Using the .NET Framework System.Net.WebClient, that should be trivial. Just start with a standalone EXE to make sure everything works, then refactor it into a 'real' action using FinalBuilder Action Studio (if that's even required: spawning an external EXE may work just fine in your case).