How to get hold of a XSRF cookie value to convert it into a X-XSRF-TOKEN header?

Gatling (Open-Source)
1

Gatling version: 3.11.2
Gatling flavor: java
Gatling build tool: maven

Dear community,

I’m struggling with performing AJAX POST request in Gatling that need to have the X-XSRF-TOKEN header set. The value which needs to be put into the header field is provided by the application as a XSRF cookie. Although Gatling seems to handle JSESSIONID cookies automatically, it seems as if converting a provided XSRF cookie to a X-XSRF-TOKEN header requires some manual steps.

I tried different approaches to get hold of the necessary cookie value:

	exec(
		http("login")
			.get("/site/login")
			.headers(headers_page)
			.check(headerRegex("Set-Cookie", "XSRF-TOKEN=([^;]+)").saveAs("xsrfCookieFromHeader"))
	)	
	.exec(
		getCookieValue(
			CookieKey("XSRF-TOKEN")
				.withDomain("cookie-domain.example.org")
				.withPath("/")
				.withSecure(true)
				.saveAs("xsrfCookieFromFunction")
			)
	)
	.exec(session -> {
            System.out.println("xsrfCookieFromHeader: " + session.getString("xsrfCookieFromHeader"));
            System.out.println("xsrfCookieFromFunction: " + session.getString("xsrfCookieFromFunction"));
            return session;
    })

The part of the code shown above returns the expected cookie value when using the check(headerRegex()) approach. But does not return a value (returns null) in case of getCookieValue which is the recommended way to access cookies, as far as I understood.
Unfortunately, check(headerRegex()) does work in this simple example but does not work in case of an automatic redirect being performed by a location header set together with the relevant set-cookie header in the same response.

The header of the response I’m trying to deal with looks as following (taken from Gatling debug output):
set-cookie: XSRF-TOKEN=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Domain=cookie-domain.example.org; Path=/; Secure
set-cookie: XSRF-TOKEN=f6f4d03a-45a5-42ff-a361-9b4459f509b1; Domain=cookie-domain.example.org; Path=/; Secure
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000 ; includeSubDomains
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
set-cookie: JSESSIONID=80284F17710198A200E86A141FE2A909; Path=/site; Secure; HttpOnly
location: h.t.t.p.s.:././hostname.cookie-domain.example.org

Is there any chance to get hold of the cookie value?

Regards,
Markus

P.S. I had to obscure the link in the location header to be able to post the example here.

2

Hi

.check(headerRegex(“Set-Cookie”, “XSRF-TOKEN=([^;]+)”).saveAs(“xsrfCookieFromHeader”))

Don’t parse Set-Cookie headers. Use the Gatling component for this: Gatling HTTP protocol reference - helpers

Gatling version : 3.11.2

Please upgrade to the latest Gatling version (3.11.5 as of now) prior to posting here, as requested in this forum’s terms.
Proof: you’re most likely being bitten by a bug that was fixed in 3.11.3: 3.11.3 Milestone · GitHub

2 Likes
3

Thank you very much, Stéphane!

I had only included the code for reading the “Set-Cookie” header to compare the values with the output of the getCookieValues function - knowing that the latter is actually the method of choice.

I hadn’t really thought of a bug that had already been fixed since 3.11.2, but assumed that I had a bug in my code.

I was able to download the latest version 3.11.4 from the homepage. Since the bug has been fixed since 3.11.3, reading the cookie now works as desired - even at any time after the redirection, of course.

Best regards,
Markus

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.