Case Study: JMeter Performance/Load Testing User Login with CSRF Token Protection
How to create a simple performance/load test in JMeter
This article will walk through a simple login load test scenario with JMeter, a free and open-source Java-based load testing tool.
Target Site: WhenWise, URL:
https://whenwise.agileway.net
Zhimin: This is a free test automation practice server instance that I made it publicly available, hosted on a Vultr’s $6 plan.
WhenWise is powered by Ruby on Rails, which has built-in CSRF (Cross-site request forgery) protection.
Table of Contents:
∘ Create a Simple Test in JMeter
∘ Performance Testing
∘ Load Testing
∘ Zhimin’s NotesCreate a Simple Test in JMeter
I used the latest Apache JMeter 5.5. Run ./bin/jmeter.sh (from a terminal) to launch.
1. Include ‘HTTP Cookie Manager’ and ‘HTTP Header Manager’ in the new Test Plan
This is for handling sessions.
2. Add “HTTP Request Defaults” to share the target server URL.
Also include “HTTP Request Defaults”, and set our target server URL there:
https://whenwise.agileway.net
3. Add a new “Thread Group”
A ‘thread group’, based on my understanding, is a load test case. I named it “User Login”.
4. Add a test step (HTTP Request): Visit the Homepage
Right-click the “User Login” Thread Group → Add → Sampler → HTTP Request.
Name it “Visit the Homepage” and set the PATH / .
5. Add “View Results Tree”
Right-click the “User Login” Thread Group → Add → Listener →View Results Tree.
This is to view the captured test results, in the case, HTTP request and response data.
6. Run the test plan
Click the green triangle button on the toolbar to run the test plan.
Click the ‘Response data” tab to view the HTML returned.
I also added “ Listener →View Results in Table”, which provides a more concise view.
7. Add an assertion, “Response Assertion”
I named it “Home Page Slogan Assertion”, and added the check: “Text Response” Contains “Discover quality services near you”.
8. Rerun the test plan.
After one run, I suggest changing to the invalid assertion text (see above). The test results will display like below.
Next, I added two more steps (HTTP Request): “Visit Login Page” and “Login”.
9. Use ‘Regular Expression Extractor’ to extract the CSRF token on the Login page
Add another HTTP Get Request with the path /sign-in .
WhenWise is a Ruby on Rails app, which comes with CSRF token protection.
<meta name="csrf-token" content="EcuR9ZHJ1KBs0MKuVjD6k9OLe6mZyn1QCMo7ZiaWbZSa3xpPIbHbRweJIn-2vRFjgEoaNOhcxtbqf2XGnNtYAw" />One way is to extract the token on the Login page using a regular expression and save it to a JMeter variable.
Specify the regular expression.
10. Submit the Login form
This is an HTTP Post request to /sessions, with three parameters:
session[email],driving@biz.comsession[password],test01authenticity_token,${authenticity_token}
the value is extracted from the previous step.
Add a “Response Assertion” to verify this step: check the text “Dashboard” on the returned page.
Performance Testing
Set “Number of Threads (users)” (under Thread Group) to 1 (default, anyway).
|Visit home page | 1.003|
|Visit login page | 0.205|
|Login | 1.035|Load Testing
Change the Number of Threads (users) to 1, 5, 10, 20, 50 and 100, then run the tests.
We get comparable test results (average timings of the operations) based on virtual user count.
Zhimin: The result shows that this test site performs OK, taking into account that is hosted on a shared $6/month VM instance. It starts to struggling to show signs of struggleing with 20+ concurrent users.
Zhimin’s Notes
JMeter is a free and open-source Java-based load testing tool. For a 23-year-old software, JMeter is still relevant today (you still can find JMeter in many job ads). It is a rare software success. I have used JMeter since its first version in 1998, it was powerful, and I managed to get the job done. However, personally, I find it hard to use (its GUI hardly changed). Every time I worked with JMeter (load testing is not my main task), it felt like learning a new tool.
For a much easier and more intuitive load testing approach, check out the “Practical Performance and Load Testing” book.
You can download the JMeter project file at the book site.
 | A guest post by
|