Sorry for my english.
I am completly new at scala and gatling, but i need to handle session token.
"X-Auth-Token" -> "62421ead-4gg6-432a-8fb8-def6b8204a72"
example of token.
Now i know that token is save in cookie, but i don't know how to save and reuse this cookie. Cookie name is "authToken". I tried to do this:
.post("/xxx/yyy/login/authenticate")
.headers(headers_16)
.body(RawFileBody("RecordedSimulation_0016_request.txt"))
.check(headerRegex("Set-Cookie","(.*)").saveAs("authToken"))
but gatling found nothing.
Tomorow I will know how token is sending from website, but i also tried to save it from HTTP headers and meta tags:
.check(regex("""<meta content="(.*)" name="X-Auth-Token">""").saveAs("auth_token"))
.check(header("X-Auth-Token").saveAs("token")
Does cookie have to be downloaded in moment of its saving or can it be downloaded later?
Sorry for my english :)
To save cookie value into session use something like this. Ensure the auth token is coming in the response. Adjust the regex accordingly. To check how it is coming in the response you can test your url in the browser and using dev tools check the response headers.
.check(headerRegex("Set-Cookie", "X-Auth-Token=(.*)”).saveAs("authToken"))
Related
I'm building an application with django , Drf and currently using vanilla JS as Frontend for now.
I searched almost all through web on different use case for authentication on the web and I found out different links but these links seem to always favour the session authentication and token authentication.
Using Django helps us with the session authentication as default so I decided to study the auth process using a token auth.
While doing this, I initially used the localstorage as a store for my tokens gotten from the backend response after user authenticates, But for some reasons which are valid , most devs/engineers advise against using the localstorage as it prones one to xss attacks..
So I decided to implement the httponly cookie method, but I haven't seen a practical use of this done on Django, I've seen theories on implementing all these but haven't seen someone done this..
Please how can I use the httponly cookie with my token stored as a cookie with DJANGO
EDIT
I know a httponly cookie does not allow JavaScript to access a cookie, so I decided to do this.
Django sends the cookie httponly with the token as the cookie
User makes a request to the backend
server gets the token from the cookie sent as a request from the backend.
4)"where the problem now comes" I can't set the token as an header in Django, I tried using the request.headers['Autho...] = Token ....
But that doesn't allow item assignment..
So if my logic is correct this is where I'm stucked
EDIT So this time, I am now able to add a header from the server , using request.META to pass an Authorization key with the Token .... Value, that seems to work fine instead of having to use request.headers for passing an assignment..
But something happened which shocked me, in as much as I'm able to change or add an authorization token from the server , the view still gives me an error, much like I never passed a token at all.....
It's like after the whole efforts and everything nothing still changes, except if it's requested from the client side 😢.
Guess I will have to stick with localstorage for now, but still research more or wait for answers .
I've done the Authentication with token using httponly cookie..
I recalled when I asked questions and some loving guys from here helped tho, we couldn't see a straight off answer as we had to research and think as well...
The steps I used was this.
Django takes in user credentials
Django authenticate that credentials
a token is exchanged for that data
we set the token to a cookie using
set_cookie(.... , httponly=True)
** Then it was now time for the real workout .
I created a middleware which will be responsible for setting the token to an Authorization key in header dict.. instead of allowing the client to do this.
---- The client couldn't handle this coz it was now a httponly flag which will prevent js from accessing it as the purpose of using httponly was for this to prevent xss attacks when tokens/cookies are normally stored in a browser storage
we then handle the middleware to our taste, as in mine I tried making sure it work for only some views and not all views (will be planning on making a custom decorator for it)
then last was to 🤔🤔 we'll have fun and smile at seeing me create something as such without a previous tutorial...
The GitHub repo link https://github.com/HarryAustin/tweeter-DrfTest-httonlycookie
How can I setup PAW to work with Facebook locally for development? Or even at all for that matter?
I have a node.js backend that I'm setting up with Facebook Auth. Every one of my routes needs the user to be logged in. I have two endpoints related to FB Auth. localhost:3000/api/v1/loginFB and localhost:3000/api/v1/callbackFB. Both of these work great in a web browser.
loginFB simply returns this string... https://www.facebook.com/dialog/oauth?client_id=523534457345&redirect_uri=https://localhost:3000/api/v1/callbackFB&scope=email,public_profile,user_friends.
When I call that URI in a browser, it returns a code=blahblah which my callbackFB endpoint uses to fire off another request to get the access token. All good.
So now in PAW I'm confused by the difference between the request URI and the Authorization URL text field? Should I use the loginFB URI for my request URI? And then https://www.facebook.com/dialog/oauth in the Authorization URL textfield?
Basically what's happening is that when I click Get Access Token, it returns the code but my callbackFB endpoint 500's by saying "This authorization code has been used." The code that it's getting returned is definitely different each time I Get Access Token.
This is where I'm at with this thing (Client ID and Client Secret are actually my App ID and App Secret from fb's dev management site, and the Access Token URL is actually set to https://graph.facebook.com/v2.3/oauth/access_token which I'm 99% sure is the correct URI):
This is the error I get when I click Get Access Token button:
It would be awesome to get some advice from anyone with experience with this issue. Thanks.
Re: #MichaMazaheri
tl;dr Fixed in version 2.2.2
Sorry for the super late follow-up. We actually fix this exact issue in Paw 2.2.2, which is already released on our website, and pending review for the Mac App Store. (It was some JSON vs. Form URL-Encoded parsing issue). Thanks for reporting.
I'm currently trying to run tests on a django web app, but the csrf token is giving me problems..
I read in a couple of places that I need to use the regex extractor to save the token that is generated, but it didn't work.
I further investigated and I saw that I needed to use a dynamic cookie value, the value is in a cookie named:
"csrftoken"
So I tried to use ${COOKIE_csrftoken} but it didn't work.
what should I do in order to use that value of the cookie dynamically?
Try showing in your question where the CSRF Token is located.
If in cookie, then ${COOKIE_csrftoken} will contain it only if you set in user.properties:
CookieManager.save.cookies=true
CookieManager.check.cookies=true
If in response (header or body) then check:
http://jmeter.apache.org/usermanual/component_reference.html#CSS/JQuery_Extractor
http://jmeter.apache.org/usermanual/component_reference.html#Regular_Expression_Extractor
You say you tried them, show how you did it.
How to Load Test CSRF-Protected Web Sites guide has demonstration on how CSRF protection can be bypassed for Django web application for all main post processors (RegEx, CSS, Xpath)
Hope this helps
I have passed the __RequestVerificationToken value in login page by capturing it via regex in an MVC login.
However following response is received on executing JMeter Script:
The required anti-forgery cookie "__RequestVerificationToken" is not present.
POST data:
__RequestVerificationToken=dZyoPd6T4QmfY-vHSxluKMZcnyNsyxL7rxF2hU5q1Gy8l8- lj9At8Id65CMXrlPxKhUcm8I06B-q_EMRLbLc8vf18FvwNrEPh1f69JqwwgOZs3Duz84d30qlfRBu27un4lx0rQ2&UserName=UserName&Password=PW&RememberMe=I&Button=Log+On&DXScript=1_144%2C1_80%2C1_98%2C1_104%2C14_25%2C14_13%2C1_105%2C1_94%2C1_136%2C1_91%2C14_0%2C1_79%2C14_2%2C1_129%2C1_87%2C14_7%2C1_77%2C1_127%2C1_89%2C1_88%2C14_8%2C1_142%2C1_113%2C1_143%2C1_108%2C14_9%2C1_135%2C1_134%2C1_120%2C14_24%2C1_130%2C1_84%2C1_109%2C1_139%2C1_117%2C1_119%2C14_15%2C1_128%2C1_122%2C14_16%2C14_18%2C1_126%2C1_133%2C1_137%2C14_21%2C14_23%2C1_86%2C5_5%2C5_4%2C4_11%2C4_10%2C4_6%2C4_7%2C4_9%2C14_12%2C4_5%2C1_97%2C1_100%2C4_12%2C4_13%2C1_96%2C1_90%2C1_138%2C1_114%2C14_11%2C1_125%2C1_132%2C7_51%2C1_82%2C7_53%2C14_17%2C1_101%2C1_92%2C14_1%2C1_93%2C14_3%2C1_95%2C1_106%2C14_5%2C1_118%2C1_103%2C14_14%2C1_102%2C1_107%2C10_2%2C10_1%2C10_3%2C10_4%2C14_4%2C9_1%2C9_5%2C14_19%2C9_4%2C8_10%2C8_17%2C8_24%2C8_26%2C8_9%2C8_12%2C8_13%2C8_18%2C14_20%2C8_21%2C8_23%2C8_22%2C8_16%2C8_19%2C8_20%2C8_14%2C8_15%2C8_25%2C8_11%2C6_12%2C14_22&DXMVCEditorsValues=%7B%22UserName%22%3A%22UserName%22%2C%22Password%22%3A%22pw%22%2C%22RememberMe%22%3Anull%7D&Button=
Appreciate your input on this!
Your question already has the answer.
The required anti-forgery cookie "__RequestVerificationToken" is not present.
Mind the cookie bit.
In my previous experience CSRF-protected sites and applications usually send CSRF token as HEADER and expect it to come as COOKIE either "as is" or encoded by some algorithm.
I suggest to try out adding HTTP Cookie Manager as a child of the request which is failing and add cookie with the name of __RequestVerificationToken, dynamic value which you're obtaining via RegEx and relevant domain and path (the easiest way to determine them is browser + any sniffer, i.e. Firefox + HTTPFox extension)
I am trying to use the YUI uploader to upload files to Django view.
However, I am getting a 403 error in CsrfViewMiddleware. I have determined that the problem is due to the flash uploader (that the YUI uploader uses) not sending the CSRF cookie in the file upload request.
The YUI uploader's uploadAll() function allows additional data to be sent with the upload request in object form. Since the CSRF cookie can be easily retrieved, I am trying to add the cookie to the request via the uploadAll() function, but I am not entirely sure as to what format to send it in so that CsrfViewMiddleware finds the cookie where it expects it. This does not work:
var cookie = YAHOO.util.Cookie.get('csrftoken');
uploader.uploadAll(url, 'POST', { csrfmiddlewaretoken: cookie });
Any insight would be greatly appreciated!
Unfortunately, because of Flash player limitations, the YUI Uploader can't insert the cookie into the header of the request, which is where the backend expects it to be. The only thing you can do, which is what that additional argument up there does, is to add POST variables to the request. However, that means that you need additional server logic to extract them as POST variables and them compare them to the cookie record -- it won't work by default.
If you are unable to modify the server-side code, you won't be able to authenticate the requests sent from the Uploader :(.