HomeSUPPORT QUESTIONS

Need help with StresStimulus? Start here.

Problem on a site that uses Anti-Forgery Tokens Messages in this topic - RSS

Nikola Lušic
Nikola Lušic
Posts: 3


12/29/2012
Nikola Lušic
Nikola Lušic
Posts: 3
Hi there.

I'm trying out StresStimulus on a site i'm working on which uses Anti-Forgery Tokens. My problem is that even though I extract RequestVerificationToken from a hidden field in the parent request, and use it to replace the recorded value of the token in the POST request, I still get a 302 that redirects to logoin page instead a 200 with JSON data.



No matter what I tried, I could never get it to work properly, so I was wondering if I could maybe get an advice.

Thank you,
Nikola
0 link
Vadim @StresStimulus
Vadim @StresStimulus
Administrator
Posts: 583


12/31/2012
Vadim @StresStimulus
Vadim @StresStimulus
Administrator
Posts: 583
Hi Nikola,
I suggest checking out two possible issues:

  1. The Anti-Forgery Token is used in more than one request, so more requests have to be parameterized. To check this, select the _RequestVerificationToken field and click "Bulk clone parameterization rule" (the 2-nd button on the toolbar shown on your screenshot). StresStimulus will search all subsequent requests and will create similar parameterization rules, if more requests using the same token will be found.

  2. More dynamic parameters, besides the Anti-Forgery Token, are used by your application. In this case they need to be parameterized as well.


If none of these hints will help, I can offer you a WebEx session to check it out. We are in New York time zone and available from 7AM. If you let me know (via a private message or by e-mailing to support@StimulusTechnology.com) the times that works for you and your time zone, I will send you an invite.

Cheers,
-Vadim
0 link
Nikola Lušic
Nikola Lušic
Posts: 3


1/4/2013
Nikola Lušic
Nikola Lušic
Posts: 3
Thank you for your reply.

We figured out why it isn't working. There is another dynamic parameter in the header. Here is the header of the replayed test case that is giving us trouble:

The problem is that "Authorization: Basic" should be the same as "authkey". Unfortunately it is copied from the recorded case.
Is there a way to parameterize a header?

Thanks,
Nikola
0 link
Nikola Lušic
Nikola Lušic
Posts: 3


1/4/2013
Nikola Lušic
Nikola Lušic
Posts: 3
I have no idea why haven't I noticed the Headers tab in the Parameters options. It is working perfectly now. Thank you for your support, and may I just say I'm very pleased with StresStimulus, keep up the good work.

Cheers,
Nikola
0 link
Vadim @StresStimulus
Vadim @StresStimulus
Administrator
Posts: 583


1/4/2013
Vadim @StresStimulus
Vadim @StresStimulus
Administrator
Posts: 583
Nikola,
I am glad that you found another parameter that has to be parameterized.
And thanks for your kind words about StresStimulus!

Cheers,
-Vadim
0 link






Copyright © 2024 Stimulus Technology