Case Study: JMeter Load Testing User Login with CSRF Token Protection
How to create a simple load test in JMeter
This article will walk through a simple login load test scenario with JMeter.
Target Site: WhenWise, URL: https://whenwise.agileway.net
Create a Simple Test in JMeter
1. Include ‘HTTP Cookie Manager’ and ‘HTTP Header Manager’ in the new Test Plan
This is for handling sessions.
2. Add “HTTP Request Defaults” to share the target server URL.
Also include “HTTP Request Defaults”, and set our target server URL there:
3. Add a new “Thread Group”
A ‘thread group’, based on my understanding, is a load test case. I named it “User Login”.
4. Add a test step (HTTP Request): Visit the Homepage
Right-click the “User Login” Thread Group → Add → Sampler → HTTP Request.
Name it “Visit the Homepage” and set the PATH
5. Add “View Results Tree”
Right-click the “User Login” Thread Group → Add → Listener →View Results Tree.
This is to view the captured test results, in the case, HTTP request and response data.
6. Run the test plan
Click the green triangle button on the toolbar to run the test plan.
Click the ‘Response data” tab to view the HTML returned.
I also added “ Listener →View Results in Table”, which provides a more concise view.
7. Add an assertion, “Response Assertion”
I named it “Home Page Slogan Assertion”, and added the check: “Text Response” Contains “Discover quality services near you”.
8. Rerun the test plan.
After one run, I suggest changing to the invalid assertion text (see above). The test results will display like below.
Next, I added two more steps (HTTP Request): “Visit Login Page” and “Login”.
9. Use ‘Regular Expression Extractor’ to extract the CSRF token on the Login page
Add another HTTP Get Request with the path
WhenWise is a Ruby on Rails app, which comes with CSRF token protection.
<meta name="csrf-token" content="EcuR9ZHJ1KBs0MKuVjD6k9OLe6mZyn1QCMo7ZiaWbZSa3xpPIbHbRweJIn-2vRFjgEoaNOhcxtbqf2XGnNtYAw" />
One way is to extract the token on the Login page using a regular expression and save it to a JMeter variable.
Specify the regular expression.
10. Submit the Login form
This is an HTTP Post request to
/sessions, with three parameters:
the value is extracted from the previous step.
Add a “Response Assertion” to verify this step: check the text “Dashboard” on the returned page.
Set “Number of Threads (users)” (under Thread Group) to 1.
|Visit home page | 1.003|
|Visit login page | 0.205|
|Login | 1.035|
Change the Number of Threads (users) to 1, 5, 10, 20, 50 and 100, then run the tests and get the average timings of the operations.
We get comparable test results based on virtual user count.