JMeter; session cookie

Tag: session-cookies , jmeter , shibboleth Author: hfahcn Date: 2011-11-13

I've seen several JMeter threads that kind of touch on my issue, but none seem to address my specific problem.

The problem is - the web-site that I am testing, works like this:

  1. A home-page with logon fields, and a submit button. When you first browse to this page in a browser, a PHPSESSID cookie is set (comes down in the Response Header) with a unique Value, to identify the session.
  2. When the user clicks on the login button (username and password on this page are irrelevant in the system's current state), the web server redirects to a different server running LDAP, via shibboleth. Shibboleth needs the value of the PHPSESSID cookie, to proceed. (to validate that the user is coming from a correct, federated server).
  3. The user then enters their account username and password, and clicks the login button.
  4. The (valid) account is logged in to the LDAP server; if the account did not exist on the original (1) server, then shibboleth maps the LDAP fields over to the account database on the original server. Then the user is logged in to the original server (1) to the newly-created account, and redirected to the original page.

There's some other SAML data that's exchanged - which I don't think is going to be a problem. . . so far, the problem seems to be this cookie.

Where JMeter is falling down, is in step 2.

  • If I do not set a cookie manager, the LDAP server says that I do not have cookies enabled. (this error is in the response data).
  • If I set the HTTP cookie manager, with no PHPSESSID cookie specified, the LDAP server says that I do not have cookies enabled. (it does not matter which Cookie Policy I set it to)
  • If I specify the PHPSESSID cookie value - of course, each user needs to have an unique value, so this will be wrong. . . So I set a RegExp post processor for the initial page, to extract the PHPSESSID value from the Request Header, and place it into a variable ${PHPSession} Then I specify a value, in HTTP Cookie Manager, for the PHPSESSID cookie, of ${PHPSession} . . . and LITERALLY, in the header, the ** thing submits a "Cookie: PHPSESSID=${PHPSession}"

So then, I read THIS. . .

Which says, in effect, (paraphrased) "...cookie manager doesn't expand user variables..." then "... okay, we fixed it... it does expand user variables..." then "... well, no, not in THAT field, it's not designed to do THAT."

So... basically, they're saying, HTTP Cookie Manager can not manage session cookies that have an unique value for each user. (even though, this is what I thought it's whole purpose was).

How else can I set and submit a unique cookie for each user whose value is extracted from the first Response Header?

Other Answer1

This is perhaps the most difficult task of programming a load test these days. I would say your problem could be related to failure to make the LDAP authentication right with the server, i.e. not passing in a new seesion ID each time. Look at using the LDAP Request sampler to pass in the token that way, both at Step 2 and for use later on in the script. You can go all out and build LDAP requests to really exercise your application. Hope this sheds some light on your problem!