Sean’s Obsessions


  • I'm a happy Linode customer. This is a Linode 540 VPS. Linode periodically increases RAM and disk while keeping costs steady, which makes them the natural choice.

  • Archives

Posted in Ruby on Rails by: sean
6 Comments

29 Jun

Load testing a Rails app with JMeter and the authenticity_token

I have been slowly learning how to use JMeter to load test the Small Payroll application. One of the problems has been getting around the CSRF protection that Rails puts in with the authenticity_token parameter.

Each form has a hidden form element:

<div style="margin:0;padding:0;display:inline">
<input name="authenticity_token" type="hidden"
value="16iUP1J2tdSKyvHKgYR/I/og6K7NgPPmTHCZ+idQP4k=" />
</div>

The token is also encrypted in the session so that the response to the form has to match. This value changes every time the form is loaded and can’t be set to a known value, otherwise it would be easy to defeat the CSRF protection. This means that JMeter has to figure out the token and put it into the POST.

Googling around, I found some people that said they did it, and a lot of people who couldn’t get it to work, but no solid walkthroughs.

Here’s my solution:


There are three elements. The first is the HTTP request sampler that gets the login page. Under that is a regular expression extractor post processor that gets the authenticity token. The extractor uses a simple regexp to pull out the value parameter and saves it to the LOGIN_AUTH_TOKEN variable. The login is then done by making reference to the variable – ${LOGIN_AUTH_TOKEN}. Make sure you have the Encode? button checked, as the authenticity_token is not always base-64 friendly!

The final step, not pictured, is that you have an HTTP Cookie Manager in your thread group to take care of cookies. You probably already have one, though.

Sean

«
»

6 Responses to “Load testing a Rails app with JMeter and the authenticity_token”

  1. 1
    Phil Rosenstein Says:

    Works great! Thanks.

    August 7th, 2010 at 11:02 am
  2. 2
    Prodis a.k.a. Fernando Hamasaki de Amorim Says:

    It has worked for me to.
    Thank you.

    December 14th, 2010 at 8:46 am
  3. 3
    Aynat Says:

    It worked for me after I changed the regular expression to:

    <input\s+name=”authenticity_token”\s+type=”hidden”\s+value=”(.*?)”\s*\/>

    (\s+ instead of empty spaces)

    January 24th, 2011 at 8:55 pm
  4. 4
    Elmatou Says:

    Logging works great for me, but the session is immediately reseted.
    I have set a cookie and a cache manager. (Rails 2.3.11 & Devise 1.0.9)
    If anybody have an idea ?!

    March 20th, 2011 at 12:16 pm
  5. 5
    Priyanka Says:

    Great!!! This Post helped me a lot and saved my time.

    August 9th, 2011 at 10:19 pm
  6. 6
    How to load test Ruby on Rails Applications with JMeter « Life Is Rails Says:

    [...] This article provides a detailed explanation how to do it. I only used s+ instead of empty spaces to make it work. [...]

    September 8th, 2011 at 6:05 pm

Leave a Reply

© 2012 Sean’s Obsessions | Entries (RSS) and Comments (RSS)

Powered by Wordpress, design by Web4Sudoku, based on Pinkline byGPS Gazette