I have a jmeter test plan that runs well when I access my own development machine.
When I move to a staging server with the application, I always get no session errors, it means I can't make a request to an authenticated page while running the test on my staging server.
I thought it was problem with the cookie manager, but I tried to switch between all of the cookie policies and got nothing better.
I don't know where I can check anymore, can you help?
Without knowing your structure, i can only tell you what you need to look into. My last test's authentication was something like this:
-CSV Data Config (contains csv with username and password)
-HTTP Request (Login page)
Response Assertion (which makes sure that session exists)
Regular Expression Extractor (find Session ID and set it to a variable)
-...
If you can post your structure, I may help you a little more.
Related
I am making a chatting service (something like Zendesk) and a website must be registered in order to use the service. There will be a frame which the website owner places in the .html file and the rest is up to me.
Problem
Anyone can start using the service right now (by reading the requests and copying them in Postman). I want a method to restrict access only to those websites that have registered to use the service when the session is started or by the messages sent from that session.
Failed solutions (to give an idea of what I am trying to do)
A stupid idea was to read and send the website URL with JavaScript and check if it exists in the database, but that can easily be forged.
I also tried generating unique tokens for each registered website, but the token is something that must be send with the request for validation and since it is something that public can see (the token is placed with the frame) that token is indeed meaningless. (Maybe I don't understand how tokens work)
At this point, seems like this is inevitable, any Ideas?
(Back-end is written in Django 3.1 and My database tables look like this, if it helps - Ignore the details, just an overview)
Frankly speaking azure still does not have direct way to set up alerts on continuous web job's so that one can get notification if web job stops for unknown reasons. After some investigation i found that logic apps are best way to do that. Here are the steps how one can achieve this
Go to azure web job, select properties and copy web hook url, username and password.
By default web hook url will have /run option at end to so remove that as you dont want to run webjob
Create a logic app setting following parameters in exact order
Recurrence - Your choice how frequently you want to run your logic
app
Initialize a variable for example status (type - string)
Call Http end point giving following details which you copied
earlier []2]
Add a step of parse
JSON response, pasting response so that logic app can create its own
schema
Pick the item name for
value you want to read for example i am using status
Add a condition for failure
Send the mail or whatever you want to do
Over all your Login app will look something like this
This is helpful, indeed. But I was facing issue with the web hook url authentication. The logic app connector was returning 401 – Unauthorized for the http request, as the password was encoded. Took a while to understand why it is throwing unauthorized even after providing correct credentials. Hence, copying the original password helped in that case ( if not anything else).
I am just playing around with google app engine, webapp2, and python; I am just building a small toy app for fun. A small side note, using ndb for google app engine datastore.
With building a small webapp, comes sessions.
I was reading the webapp2 documentation on sessions, as well as the most popular threads on this website on how to setup sessions. What I don't get about this process is this small piece of code in the config.
config = {}
config['webapp2_extras.sessions'] = {
'secret_key': 'my-super-secret-key',
}
I am pretty new to web development. However, building other smaller apps with this same framework, I done the following to build somewhat secured hashed cookies.
user_key = user_key.id()
user_cookie = self.request.cookies.get('user_cookie', None)
and
self.response.headers.add_header('Set-Cookie','user=%s|%s' % (user_cookie, hash_string(user_cookie)))
self.write('Thank you for sigining up! And, welcome %s' % user.name)
Is that what the first bit of code above for the config is trying to accomplish?
In other words what is this secret key for?
Also, lets say I want to set the 'sessions' cookie to the user id.
Would the code below be the correct way to do this?
self.session[name] = user_key.id()
session_info = self.session.get(name)
Thank you.
The secret_key is used by the server to digitally sign the cookie data that you are reading when you are calling self.request.cookies.get('user_cookie', None).
The cookies are continually passed from client to server along with the digital signature. When the client presents the cookie values to the server with each request it does so with the digital signature given by the server. Each time the server signs the current cookie values, if the signature passed in by the client does not match the current server values the server knows the parameters of the cookie have been tampered with. This guards against a malicious client trying to impersonate another user or otherwise perform an unauthorised action.
This scheme only works if the key is only known to the server, otherwise any client could also sign cookies that the server would accept. Hence secret_key.
The default signature algorithm in webapp2 is HMAC-SHA1.
Also, quickly, when I look at the cookie set by instantiating sessions, it is an extremely long string
This is the code that the server uses to authenticate a cookie if you are curious. You'll notice that the cookie is base64 encoded json document.
Now I suppose that the value of secret_key can then be any string that you'd like it to be, correct?
As they spell out from RFC 2104 on this security thread any string of 20 or more randomly chosen bytes should do for HMAC-SHA1.
Also, lets say I want to set the 'sessions' cookie to the user id
I think this is probably the example you are looking for.
I'm new to JMeter so forgive me if I'm asking the obvious. I am writing a performance test for a site protected by user password, where the authentication is passed as a token in the cookies.
I am able to extract the token and add it to the pages themselves, but when using "retrieve embedded resources" it seems like the cookies are being cleared. I have a single cookie manager at the top of the thread group and the token itself is being added by a beanshell postprocessor.
Any ideas ?
Gil.
I have never heard about cookies removal from the "embedded resources" request, looking into the View Results Tree listener the cookies are present on fresh JMeter 3.0 installation
If HTTP Cookie Manager is disabled or removed I don't see this "Cookie Data"
So my expectation is that you either misconfigured something or made a mistake in your Beanshell script.
By the way, you can "tell" JMeter to store cookies as JMeter Variables by adding CookieManager.save.cookies=true line to user.properties file. See Using the HTTP Cookie Manager in JMeter article for more detailed information.
Please VOTE TO CLOSE instead of downvoting. I can't delete the question now that there are answers for it.
I've been playing with JMeter a few days now and I'm starting to get into the steeper part of the learning curve it seems. I've added a login request (i had to put it in a Loop Controller in the Thread Group). I then have a cookie Manager followed by two requests that are made by the browser (according to fiddler) after logging in. These next two requests require a cookie though and they don't seem to be working right now. I've set the Cookie Manager to "compatibility" for Cookie Policy. Then I look at the view results tree and I see that the two requests after login are failing and in the Request tab I see "[no cookies]".
Rather perplexing. Here's a screenshot.
i've modified my login request a bit:
however the next request still fails with a "not logged in" and "forbidden" message:
Not sure as i don't have full test plan but your login request seems to have failed because you get a redirect from http to https in tree result.
As you can see in tree you have 2 samples inside
Login one with http then one i http.
I suggest if you are a beginer to read this :
http://jmeter.apache.org/usermanual/jmeter_proxy_step_by_step.pdf
It will help you build easily yoyr test plan.
I you don't succeed with proxy then I suggest you remove loop controller and test with only one iteration to see what's happening.
You can click on sampler in tree result and select request tab.
Check that your login request is using https, it's in scheme of http sampler.
If it's a redirect that you cannot anticipate, then disable follow redirect and with a regexp post processor:
http://jmeter.apache.org/usermanual/component_reference.html#Regular_Expression_Extractor
extract the url from the redirect and submit it with login and password in next http sampler.
Regards
I had to learn a little bit more about the requests being made to the system in order for this to work. Instead of a call to www.server.com/login, i made a request to www.server.com/sessions.json and provided a json file with username and password. doint this set the cookie and the cookie manager took over. Then without modifying the other two requests, everything was honky dory.
Based on the images that you have posted, I found the error.
Cookie manager should be under the scope "Test plan". You have created a Cookie manager with the scope HTTP request.
Please leave the HTTP Cookie Manager with the standard settings. It should work.
enter image description here
For more details refer to the below JMeter Documentation
http://jmeter.apache.org/usermanual/component_reference.html#HTTP_Cookie_Manager