Sean’s Obsessions


  • I'm a happy Linode customer. This is a Linode 540 VPS. Linode periodically increases RAM and disk while keeping costs steady, which makes them the natural choice.

  • Archives

Posted in Ruby on Rails by: sean
14 Comments

29 Jun

Load testing a Rails app with JMeter and the authenticity_token

I have been slowly learning how to use JMeter to load test the Small Payroll application. One of the problems has been getting around the CSRF protection that Rails puts in with the authenticity_token parameter.

Each form has a hidden form element:

<div style="margin:0;padding:0;display:inline">
<input name="authenticity_token" type="hidden" 
value="16iUP1J2tdSKyvHKgYR/I/og6K7NgPPmTHCZ+idQP4k=" />
</div>

The token is also encrypted in the session so that the response to the form has to match. This value changes every time the form is loaded and can’t be set to a known value, otherwise it would be easy to defeat the CSRF protection. This means that JMeter has to figure out the token and put it into the POST.

Googling around, I found some people that said they did it, and a lot of people who couldn’t get it to work, but no solid walkthroughs.

Here’s my solution:


There are three elements. The first is the HTTP request sampler that gets the login page. Under that is a regular expression extractor post processor that gets the authenticity token. The extractor uses a simple regexp to pull out the value parameter and saves it to the LOGIN_AUTH_TOKEN variable. The login is then done by making reference to the variable – ${LOGIN_AUTH_TOKEN}. Make sure you have the Encode? button checked, as the authenticity_token is not always base-64 friendly!

The final step, not pictured, is that you have an HTTP Cookie Manager in your thread group to take care of cookies. You probably already have one, though.

Sean

«
»

14 Responses to “Load testing a Rails app with JMeter and the authenticity_token”

  1. 1
    Phil Rosenstein Says:

    Works great! Thanks.

    August 7th, 2010 at 11:02 am
  2. 2
    Prodis a.k.a. Fernando Hamasaki de Amorim Says:

    It has worked for me to.
    Thank you.

    December 14th, 2010 at 8:46 am
  3. 3
    Aynat Says:

    It worked for me after I changed the regular expression to:

    <input\s+name=”authenticity_token”\s+type=”hidden”\s+value=”(.*?)”\s*\/>

    (\s+ instead of empty spaces)

    January 24th, 2011 at 8:55 pm
  4. 4
    Elmatou Says:

    Logging works great for me, but the session is immediately reseted.
    I have set a cookie and a cache manager. (Rails 2.3.11 & Devise 1.0.9)
    If anybody have an idea ?!

    March 20th, 2011 at 12:16 pm
  5. 5
    Priyanka Says:

    Great!!! This Post helped me a lot and saved my time.

    August 9th, 2011 at 10:19 pm
  6. 6
    How to load test Ruby on Rails Applications with JMeter « Life Is Rails Says:

    [...] This article provides a detailed explanation how to do it. I only used s+ instead of empty spaces to make it work. [...]

    September 8th, 2011 at 6:05 pm
  7. 7
    Abhijeet Says:

    Does not worked for me :(

    Is there anything we need to try?

    July 31st, 2012 at 2:20 am
  8. 8
    sean Says:

    Hello Abhijeet,

    Some people here have mentioned changes to the regular expression that might help. Also look at your Rails logs, is anything getting sent at all?

    This technique should work on any application but since it uses regexps to parse the HTML it can be brittle and might need tweaking in some environments.

    July 31st, 2012 at 6:53 am
  9. 9
    Fiona Says:

    Thank you for sharing this!

    The change to the regular expression suggested by Aynat worked for me.

    November 6th, 2012 at 3:59 pm
  10. 10
    ALF Says:

    These instructions were extremely helpful and they got me past the rails login page, but other form posts are failing because of the authenticity_token. I am including the token from the page that contains the form in the same fashion as illustrated above for the rails login. I can clearly see the correct authenticity_token being extracted and posted in the form, but when I tail the logs it is failing because it cannot validate the token. I then end up back on the home page of the site with my user still logged in. Any ideas?

    January 25th, 2013 at 1:09 pm
  11. 11
    Wai Says:

    Hi,

    I used the same regular expression to get the authenticity token.

    I have noticed a strange quirk with Jmeter, as sometimes my script will not run correctly. and It looks like everytime the authenticity token contains a “+” sign in it, Jmeter will substitute it this with a space.

    So for example the authenticity token is:
    htJ+IyYu5MCL+mUSfBTjyVK8vOQFsUn+TbWkGosqEE8=

    Then when I check what my script posted, I see this:
    htJ IyYu5MCL mUSfBTjyVK8vOQFsUn TbWkGosqEE8

    The strange thing is I’ve used the Regular Expression tester in Jmeter to check my RegEx and that returns the full value including the “+” signs.

    Slightly frustrating!

    I’m using Jmeter 2.8 btw.

    February 11th, 2013 at 11:39 am
  12. 12
    sean Says:

    + is also the HTML encoding of space, I’m wondering if there’s some decoding going on when you put it back out there?

    February 11th, 2013 at 12:12 pm
  13. 13
    Wai Says:

    Thanks for the reply, that was helpful.

    I checked my settings and it looks like you need to make sure the encode? option is enabled, otherwise Jmeter doesn’t include the + character. So by enabling this for my authenticity token worked!

    February 12th, 2013 at 4:01 am
  14. 14
    Dzmitry Kashlach Says:

    In JMeter 2.9 they added CSS/jQuery extractor. Now it is possible to get tokens not only via XPath, but via CSS also.
    Later there will be JMeter 2.9 review in performance testing blog.

    February 13th, 2013 at 2:12 am

Leave a Reply

© 2013 Sean’s Obsessions | Entries (RSS) and Comments (RSS)

Powered by Wordpress, design by Web4Sudoku, based on Pinkline byGPS Gazette