I have a magic link to access a website without logging in, let's say the magic link is something like this
https://key.example.exampl.tr/auth/realms/test/protocol/openid-connect/auth?client_id=my-react-client&state=ba453a80-d991-4b3b-a791-3fc2629aea03&redirect_uri=https://test.example.exampl.tr/&scope=openid&response_type=code&user_id=d0bcdd07-3198-4ab6-9cfd-d0b6341dbe00&key=7a1b4163-76e8-465c-a914-c68f16761698
when I use the link in the browser it works as expected and accesses the home page without asking me to log in. BUT when I use the same link inside HTTP GET Request using JMeter, it redirects me to the login page. Why is that happening and how to solve it?
This is happening as you browser stores specific cookies and caches for the particular request, whereas for jmeter you will request a new session every time, if you are not using HTTP Cookie Manager and HTTP Cache Manager explicitly.
Try clearing your browser history, cookies & caches and hit the same request/url, it would also redriect to the login page and behave same as jmeter does
Related
I was asked to implement a "one session per account" limitation on an old java 7/struts 1 web application.
During development, I'm getting a behavior which I can't really understand.
So if there's an account "Account-A" currently logged in with a session "Session-1234" and then the same account gets logged in but with a different session "Session-4567" then the session "Session-1234" is marked to be invalidated in the next request performed by that session.
During the process of invalidation of the "Session-1234", one of the steps is redirecting(302) the client to the login page.
Now is what I don't understand.
If the request is coming in "synchronous" mode, everything works as expected.
User clicks some link
Server -> invalidates session and redirects(302) login.
Browser -> detects 302 looks for Location header and performs a get.
Server -> serves the resource.
Browser -> show login and update the URL.
If the request is coming in "asynchronous" mode aka AJAX, now I have problems because what happens is that the page never changes and the content of the login is displayed right there.
My question is not how to solve this "problem", but rather have a really good grasp on why it behaves like this.
If you are working with a programmatic client, you have 2 main options:
Don't use cookies, use the Authorization header and let the server emit a 401, telling the client their token is now invalid.
With your javascript client, read if the server returned a 302 response and Location header and respond to that.
#2 is basically a hack that lets you mimic the standard browsers' behavior. #1 is more appropriate for an API.
jmeter is not able to load web page after login page redirect to default homepage.
After starting recording with webpage url, it will redirect to login page and after submitting credentials, it will redirect to default homepage. jmeter is able to redirect to default homepage but not able to load its content. It looks like it is in loading state.
During recording i have unchecked FOLLOW REDIRECT and REDIRECT AUTOMATICALLY
if we open homepage normally , without jmeter recording, it is loading perfectly.
With the given information, I can't pinpoint the issue. But following is the useful information for debugging:
Understand http traffic i.e., getting generated when using the application. To capture the traffic, you can use browser builtin options (Chrome,IE and Firefox -F12-Networks tab) or wireshark, fidler etc. Delete the cache before you start.
Find the source/initiator of the request which loads the content of the user logged in.
Once you find the trigger/source point of the request:
a. If source is html file, then Jmeter will send the requests for embedded resources only if "Retrieve All Embedded Resource" is enabled.
b. If source is other than html, such as .js (in case of ajax requests), .css, then it is LIMITATION in jmeter, which wont parse these files to check for the requests to send, even if "Retrieve All Embedded Resource" is enabled.
So, if the source of the request (which loads content) is .js or .css, then we should explicitly add that request as a sampler (take care of other things, such as adding HTTP Cookie Manager, Header Manager etc., in case the request demands).
Meanwhile, please provide following information:
Does all http requests are recorded? Match with browser (F12) Networks tab.
If yes, what is the status of those requests, when replayed? Check using View Results Tree Listener.
If only parent/source request is recorded, then look whether it is sending the request/s (which loads the content) using View Results Tree Listener.
I have recorded a script in JMeter, when I run it in view result tree URL gets changed automatically to some other page. My original request has no cookies while the page to which it redirects contain cookies. Later , I checked manually in my browser I saw cookies passing in the request. So, I added HTTP header manager with cookie data , I executed the test still it is redirecting. I thought to correlate cookie value but I can't get it in any response above. Can anyone suggest?
I'm using Spring MVC, MySql and Tomcat 7.
Currently the application I'm developing can be accessed by 2 URLs namely IP:PORT/APP and www.app.com.
When accessing via www.app.com I see a session being created for every page/link that I open but it doesn't happen when I access via IP:PORT/APP.
I have a check for logged-in user in every page and due to too many sessions that check is failing and I'm being re-directed to my login page even after logging in.
Also when opening the www.app.com index page I see a jsessionid on the address bar and not when i open it via IP.
Any help/guidance is appreciated.
It seems that when you are accessing the page via domain name (www.app.com), cookie support is not found and hence the url rewriting is being done (i.e. appending jsessionid at the end of the url). But this is not observed while accessing the same page via IP Address (IP:PORT/APP), meaning cookie support is enabled at this time.
You can check if you have enabled some security settings that is not allowing cookies.
Further to this, it seems that even url rewriting is not helping as sessions are being created for every request.
You can use some HTTP Interceptors to analyze the request being sent and response being received in each case. You can use Developer Tool in Chrome to inspect this. Load you page in Google Chrome, Right Click on Page and Click 'Inspect Element'. Open the 'Network' tab. Reload the page. You can now inspect the HTTP Request Headers sent and Response Headers received for each request. Analyze the difference between the request using IP Address and requests using Domain Name.
Also, share the architecture of the application and the environment where you are testing the application.
I have a form based authentication application I am able to log on the system as per my database by posting a request on my log in page.
But after that if try a get request of any internal pages I get a request as www.example\login?dashboard with a cookie but the response html is of my login page.
I have a cookie manager added on the top.
There are a couple things to check that could be causing this:
There is a hardcoded parameter, like sessionID that needs to be unique for each session
The page requests have "automatic redirect" enabled and should not (or vice-versa)
Login is actually failing, but the site is not giving a clear error message