One of the most commonly misscripted elements in performance testing is web authentication. I’m not talking about integrated authentication like SPNEGO, I’m talking about a simple HTTP POST with authentication details followed by the sites authenticated home page. The problem is that the user experiences a two step process.
In reality the process is actually 3 steps, with the middle step is transparent to the user. Because it is transparent, tools like LoadRunner will attempt to represent the end-user experience and record only two steps. In most cases, this is the desired end-result. The following diagram shows the three steps that occur.
The issue with recording Logon like this, is that it does not allow you to separate the authentication time from the loading time of the subsequent page. Its a simple process to separate the timing of the authentication and the subsequent page load, and the following code snippet shows you how to do it in LoadRunner.
Action() {
lr_start_transaction("Open_Logon_Page");
// Validate Logon Page
web_reg_find("Text=Lost your password?", LAST);
// Open Logon Page
web_url("logon_page",
"URL=http://www.headwired.com/login.php",
"TargetFrame=",
"Resource=0",
"RecContentType=text/html",
"Snapshot=t1.inf",
"Mode=HTML",
LAST);
lr_end_transaction("Open_Logon_Page", LR_AUTO);
// Disable HTTP Redirects to time Authentication
web_set_option("MaxRedirectionDepth", "0", LAST);
lr_start_transaction("Logon");
lr_start_sub_transaction("Authenticate", "Logon");
// Find Authenticated URL
web_reg_save_param("redirect_url", "LB/ic=Location: ", "RB=\r\n", "Search=Headers", LAST);
// Submit Authentication
web_submit_data("web_submit_data",
"Action=http://www.headwired.com/login.php",
"Method=POST",
"TargetFrame=",
"Referer=",
ITEMDATA,
"Name=log", "Value={USERNAME}", ENDITEM,
"Name=pwd", "Value={PASSWORD}", ENDITEM,
"Name=redirect_to", "Value=http://www.headwired.com/dashboard/", ENDITEM,
"Name=testcookie", "Value=1", ENDITEM,
"Name=wp-submit", "Value=Log In", ENDITEM,
LAST);
lr_end_sub_transaction("Authenticate", LR_AUTO);
// Enable HTTP Redirects to time Authentication
web_set_option("MaxRedirectionDepth", "10", LAST);
lr_start_sub_transaction("Authenticated_Page", "Logon");
// Verify Authenticated Page
web_reg_find("Text=Dashboard", LAST);
web_url("authenticated_page",
"URL={redirect_url}",
"TargetFrame=",
"Resource=0",
"RecContentType=text/html",
"Snapshot=t1.inf",
"Mode=HTML",
LAST);
lr_end_sub_transaction("Authenticated_Page", LR_AUTO);
lr_end_transaction("Logon", LR_AUTO);
return 0;
}
[…] data one by one to see which accounts work, and which
don’t, removing the accounts that error. By turning off HTTP
redirects, you can speed up this process […]
Note that some servers will return location: header in lowercase. To handle this, use
web_reg_save_param(“redirect_url”, “LB/ic=Location: ”, “RB=\r\n”, “Search=Headers”, LAST);
Thanks for the tip Niels.
I must have been lucky and haven’t come across a lowercase “location” yet. I have updated the code above to reflect this change.
In a post by Kim Sandell over at Performance Testing @ the Frontline, I commented on his redirection post. A question from Kiran on that post was
“There exists a redirection parameter for web reg save,why do you think this will not work in this case.”
My initial thought was “because manually handling redirects just feels better”, also, as I hadn’t looked at this option in a while, I thought it better to properly investigate it further.
I quickly setup a two page re-direction, from Page1.php > Page2.php and finishing on Page3.php with the content “You have arrived on page 3”.
This was setup using a quick PHP script, if anyone was interested
And my test script in LoadRunner
Action() { web_reg_save_param("redirect_url", "LB/ic=Location: ", "RB=\r\n", "Search=Headers", LAST); web_reg_save_param("page_text", "LB=You have ", "RB= at Page 3", LAST); web_url("page1.php", "URL=http://localhost/redirect/page1.php", "Resource=0", "RecContentType=text/html", "Referer=", "Snapshot=t1.inf", "Mode=HTML", LAST); return 0; }When IgnoreRedirections=Yes, ONLY the final page will content will be searched, and the pages leading up to that page are not. With the default IgnoreRedirections=No, ALL pages are searched for content and values can be matched on ANY of those pages.
For example, “page_text” is found with IgnoreRedirections set to Yes and No, as both options do search the final page. The “redirect_url” is only found when its set to No, as it searches all pages. You can even use the “Ord=ALL” option on the redirect_url as this allows for all redirections to be found
So it turns out, the default behaviour of searching all pages leading up to your final page is a great option for matching multiple redirects, however, as in my post, this option does not allow you to set individual timing points for the redirects, something which I find very useful.
I think you are right in your calculation.If we are measuring the redirects, we need to set up explicit markers for that.However I am still doubtfull with regard to integrated windows authenication or when redirects happens 3 times in situation like SSO ,it can not be called as performance issue as redirects happens by design.
The flow I have seen is something like you get 401.2 >401.1 > 200 which is normal flow and is correct by design,but again if it takes more time to redirect,then it becomes a issue.
I dont really recollect as how LR Windows authenication works,if we are seeing directly home page ,with windows authenication check box on in LR Setting and with single web set user , and if it is making only last 2 calls,then I think this goes against RFC’s.401.2 is also important part of this process.
i need to capture the time of redirection to the home page after we post the credentials.
1. we post the credentials to the server
2. server authenticates it at page 1
3. server redirects page 1 to page 2(200 results page)
4. server internally sends page 2 and fetches page 3 (home page)
5. we logout
As above i need to capture the time for step3, i have recorded a script in LR but this redirection is related to server internally and thus does is not getting captured in a transaction.
please help