Hi, I am trying to load test a outsytems application using Jmeter, but keep getting a 403 Forbidden response.
When I run the tests, my GET requests pass and my initial POST login request. However, the remaining POST requests will fail. Below is an POST request example:
This will be the Response data, from the POST request.
Below => in the below imagine indicated the non-unique CSRF Token
Below => in the below imagine indicated the unique CSRF Token
When I run the test on Jmeter, the CFSR token passed in the head is unique, X-CSRF Token=BYulObTFjGn7BCuBLCBiCi0Y/Io=, but if I look in the test result tree the CFSR token is T6C+9iB49TLra4jEsMeSckDMNhQ=. This token T6C+9iB49TLra4jEsMeSckDMNhQ= is the initial token you will receive when you visit the site but, as I understand it I should see in the response data the unique token which is BYulObTFjGn7BCuBLCBiCi0Y/Io=.
Please let me know what more information you require to help me solve this.
Hi David,
The problem looks to be that you are replaying a previous series of requests without substituting in the new x-csrftoken header.
The login request will return a new nr2Users cookie which you have to URL decode and retrieve the crf value. Then subsequent posts should use this value in the x-csrftoken header. This needs to be dynamic within your Jmeter test run, you cannot use a value from a previous session.
Extracting the x-csrftoken is a little tricky in Jmeter, so let me know if you need help.
I hope this helps!
Kind regards,
Stuart
Hi Stuart,I am having a scenario where we need to log in and then visit some page after login. we have created a script for the same and every time it is logging fine but the rest page getting errors. Below is the response data for login which was successful every time.and below are the response data for failure on page 403.it looks like, in nr1users and nr2users, the value is not passing which is generated after login so a 403 error is showing.Please let me know the approach to resolve the same.Thanks in advance.
Hi Manish,
Thanks for your question.
Do you mean the "rest of the pages are getting errors"?
Are you setting the X-CRSFToken header as I described above? If not, that is what you need to do.
Hi Stuart Harris,
Thank you for the reply. Yes, the X-CRSFToken header is coming on the headers and we already try to extract the token and pass the same on the other pages but it seems it is not passing properly. can you share approach to extract the token in this scenario, please?Thanks,Manish
Yes, I explained the approach above; here it is:
"The login request will return a new nr2Users cookie which you have to URL decode and retrieve the crf value. Then subsequent posts should use this value in the x-csrftoken header."
Maybe if you explain each step you are using the extract the token and then send it back, I might be able to spot the missing or incorrect part.
(I know thats probably a bit painful to do.. but I think thats the quickest way to get it working for you)
Hi Stuart Harris,On the login post request, I have put below the regular expression extractor, and on the next all pages we add ${value} for all the crf tokens.Please correct me if I am doing wrong in extracting the token.Thanks,Regards,Manish
Thanks Manish,
That was really helpful, and I can see the problem.
Your regular expression is wrong, and you are not URL decoding the value. You are correctly checking the Response Headers. Also you only need it to apply to the Main sample, but your selection there will work as well.
Here is the regular expression you need:
(I like to set it to NOT_FOUND if it fails, but not strictly necessary)
Then URL decode the value like this:
Hi Stuart Harris,Thank you so much for the guidance. now crf token is extracting and passing in the response header.Still, 403 error is showing for the pages as the nr1User token is not passing. I have added a new regular expression for the same but not sure where on the header this variable needs to pass. like crf token is passing in the header so we have to automate in headers.Thanks,Regards,Manish
You're welcome.
In my example the variable storing the token is RFToken, so if you are using exactly that, then the value needs to be ${RFToken} rather than ${token}.
Give that a try and let me know how you go! :)
Hi Stuart,I have tried value change for the RFToken but still the same issue for nr1user is showing.Please let me know if anything needs to be changed in regular expression or nr1user.
I'm not sure I can be of any further help. I think you have the CRF token set now. It would be worth reviewing what is being sent in the Jmeter logs.
Also check the username and password are being sent correctly and make sure you can see them in what is being sent.
Hi Manish & Stuart Harris
I am facing the same issue which you have posted. Can you please guide me how to resolve it.
Regards
Vijay