I'd like to share the _profiler cookie for all request for an user, anyway to do this in locust?
self.client.post(
"/customer/account/loginPost/bind/no/",
headers = headers,
data = {
'login[username]': email,
'login[password]': password,
'form_key': form_key
},
cookies={
'_profiler': True
}
)
//Another request in another task, I hope the `_profiler` cookies exists here.
self.client.get('/customer/section/load?sections=cart&force_new_section_timestamp=false',headers=headers)
I think that it's related to this:
How to configure or set cookie as json before making a post request in locust load test tool for FastHTTPUser
You could use the same approach
I have a scenario where I am hitting the keyCloak requests and using the token as a header in the other HTTP requests.
My problem is for 100 users it is generating 100 tokens so I am looking for the solution in which keyCloak request is hit only once and the token is used throughout the performance run.
Sample code snippet for the reference:
scenario("CMS service")
.exec(KeycloakToken.request(conf))
.exec(getOffers.request(conf))
.exec(offerById.request(conf))
Use feeder https://gatling.io/docs/current/session/feeder/ .
1) Create feeder
val feeder = Iterator.continually(Map("token" -> "dG9rZW4="))
2) Add feeder to scenario
scenario("CMS service")
.feed(feeder)
.exec(...)
3) Pass value via Gatling EL https://gatling.io/docs/current/session/expression_el
In your http request add token
http(...)
.post(...)
.header("your token header", "${token}")
I am trying to create a basic web login/authentication system in Play. Based on Play docs Im supposed to persist data across requests through Play's Session cookie; this is what my login looks like:
def login() = Action.async(parse.json) { implicit request =>
implicit val loginInfoReads: Reads[LoginInfo] = Json.reads[LoginInfo]
val newSession = request.session +
("test" -> "yep")
// #todo: add real error handling
val unauthedUser = request.body.validate(loginInfoReads)
.getOrElse(throw new Exception("Something went wrong with the login request"))
UserService.authAndGetUser(unauthedUser.email, unauthedUser.password).map { res =>
Ok(res.name).withSession(newSession)
}
I can see the cookie included in the response cookies in Chrome dev tools, but when I make a subsequent request to get the data inside the session, I get an empty map:
Logger.debug(request.session.data.toString)
logs:
Map()
and attempting to access "test" via request.session.get("test") fails.
What am I missing here? Why is my session data not persisting across requests?
Thanks
Turned out it wasn't a Scala/Play problem, more general problem with Chrome and cookies when hitting localhost. Here's what fixed it for me:
https://stackoverflow.com/a/39233628/747340
My tests run fine but now I need multiple sessions running at once. I've tried getting the cookie value using headerRegex("Set-Cookie", "HOME_SESSID=(.*)").saveAs("homeSessid") but when I print this out its returning a value of com.excilys.ebi.gatling.http.check.HttpMultipleCheckBuilder#6075598
I have no idea where this is coming from. My question is: what is going on?
Thanks.
edit: forgot to mention that the value its returning is not a session id and no matter what I use for the cookie name I get the same value.
edit (solution):
1) In the first .exec: .check( headerRegex("Set-Cookie", """HOME_SESSID=(.*dll/(\d+))""").saveAs("homeSessid") )
2) Then to retrieve homeSessid in later http requests I did, for example:
.post( session=>{session}.getAttribute("homeSessid").toString + "/some/relative/url" )
1) In the first .exec:
.check( headerRegex("Set-Cookie", """HOME_SESSID=(.*dll/(\d+))""").saveAs("homeSessid") )
2) Then to retrieve homeSessid in later http requests I did, for example:
.post( session=>{session}.getAttribute("homeSessid").toString + "/some/relative/url" )
Please properly read the Check documentation. Checks save data into the Session, so that's where you have to read. Here, you're just trying to print the extractor.
For example, after performing your check, you could add a exec(function), like:
.exec(session => {
println(session("homeSessid").as[String]) // Gatling 2 API
session
})
How to add a parameters to the Google OAuth 2.0 redirect_uri?
Just like this:
redirect_uri=http://www.example.com/redirect.html?a=b
The b of a=b is random.
Anyone can help ?
You cannot add anything to the redirect uri, redirect uri is constant as set
in the app settings of Oauth.
eg :http://www.example.com/redirect.html
To pass several parameters to your redirect uri, have them stored in state
parameter before calling Oauth url, the url after authorization will send the same parameters to your redirect uri as
state=THE_STATE_PARAMETERS
So for your case,do this:
/1. create a json string of your parameters ->
{ "a" : "b" , "c" : 1 }
/2. do a base64UrlEncode , to make it URL safe ->
stateString = base64UrlEncode('{ "a" : "b" , "c" : 1 }');
This is a PHP example of base64UrlEncoding & decoding (http://en.wikipedia.org/wiki/Base64#URL_applications) :
function base64UrlEncode($inputStr)
{
return strtr(base64_encode($inputStr), '+/=', '-_,');
}
function base64UrlDecode($inputStr)
{
return base64_decode(strtr($inputStr, '-_,', '+/='));
}
So now state would be something like: stateString -> asawerwerwfgsg,
Pass this state in OAuth authorization URL:
https://accounts.google.com/o/oauth2/auth?
client_id=21302922996.apps.googleusercontent.com&
redirect_uri=https://www.example.com/back&
scope=https://www.google.com/m8/feeds/&
response_type=token&
state=asdafwswdwefwsdg,
For server side flow it will come along with token :
http://www.example.com/redirect.html?token=sdfwerwqerqwer&state=asdafwswdwefwsdg,
For client side flow it will come in the hash along with access token:
http://www.example.com/redirect.html#access_token=portyefghsdfgdfgsdgd&state=asdafwswdwefwsdg,
Retrieve the state, base64UrlDecode it, json_decode it, and you have your data.
See more about google OAuth 2 here:
http://code.google.com/apis/accounts/docs/OAuth2.html
Since the accepted answer does expose the actual data and misuses the state parameter instead of sticking to a nonce to protect against CSRF, I'll try to show a proper method. Rather than passing (read exposing) data it should be kept local. Hydrate it before the request and re-hydrate it after a validated request. "Validated" here means that the state-nonce of request and response match.
You need some kind of temporary client side storage. E.g. for SPA or general websites keep it in state or use the browser's localStorage, a session (or a signed cookie). For mobile apps they should use memory or any other local storage.
Before sending the request generate a nonce (see below) that will be used as state parameter for the request. Store the nonce together with the custom state (e.g. a json) in local storage.
For example, the nonce could be ih4f984hf and the custom state {"role": "customer"}. Then you could store data for re-hydration for that request like this:
"ih4f984hf": {
"role": "customer"
}
Then use only the nonce as value for the state parameter of the request. (If you absolutely want to combine the nonce and data into the state value be sure to encrypt it and be aware that the length of the value is limited!)
When receiving a response you get the value of the state parameter back. Look it up and if it matches the value in the local storage you may process the data using the stored state. If the nonces do not match the request is potentially from an attacker and should not be processed.
Generating the nonce
Remember that the nature of a nonce is that it is used once only and must be unpredictable! Unpredictable here means ideally random, but practically pseudo-random is ok if the entropry is high enough - in web apps you might want to check Web API Crypto which is supported pretty well.
For further readings this might be helpful:
http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html
https://datatracker.ietf.org/doc/html/draft-bradley-oauth-jwt-encoded-state-00
https://auth0.com/docs/protocols/state-parameters#set-and-compare-state-parameter-values
If you are in .NET you could save the parameters in the Session
HttpContext.Current.Session[{varname}]
and redirect to the authorization page without parameters
Response.Redirect(your_uri_approved_with_no_querystring_parameters);
In Javascript (Node), you could set the state property to an object of key value pairs.
const oAuth2Client = await new google.auth.OAuth2(
clientId: <clientId>,
clientSecret: <clientSecret>,
redirectUrl: <redirectUrl>,
);
return await oAuth2Client.generateAuthUrl({
access_type: "offline",
scope: <scopes>,
state: JSON.stringify({ a: "y", b: "z" }),
});
On google authorization complete, it returns of the state, code etc from ulr,
const params = JSON.parse(state); // { a: "y", b: "z" }
You can redirect parameter with url as below,
When you get response from google than you can pass parameter with url,
See below php code for same,
if (isset($_GET['code'])) {
$client->authenticate();
$_SESSION['token'] = $client->getAccessToken();
$redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL) . '?r=page/view');
}
In above example r=page/view is parameter on which i want the response with parameter