Saturday, March 15, 2008

Handling Dynamic Sessionid Using OpenSta

Handling Dynamic Sessionid Using OpenSta


Sometimes webapplications encode their session identifiers in urls, like http://localhost/index.jsp;jsessionid=12345. In this example 12345 is the session identifier. Playback using the recorded value indicated below is obviously going to cause problems. For one thing, each thread needs to have its own jsessionid; for another, if the value is left as recorded, the script will fail as soon as the jsessionid expires on the server.

Session IDs and User IDs can be found in multiple ways, depending on the way in which the page is presented. If the ID is stored in a cookie, the session ID can be extracted in the same manner as OpenSTA already uses to retrieve cookie values.

For example, OpenSTA might record the following:

Load Response_Info Header on 4 &
Into cookie_4_0 &
,WITH "Set-Cookie,UID"

In this case, capturing the UID is as simple as declaring a variable (VAR_UID in the example below) and populating it using the follwing syntax, directly above or below the load statement shown above

Load Response_Info Header on 4 &
Into VAR_UID &
,WITH "Set-Cookie,UID"

* NOTE: Because this value is being extracted from a cookie, there is a good chance that the cookie variable will come along with the value as in:

"UID=123456789"

It is necessary to either parse the "UID=" off or, since the value is going to be appended to a query string anyhow, leave it on and remove the "UID=" from each URL you are appending the variable to.

If the ID is not loaded into a cookie, it is time to go hunting. Look for the ID somewhere in the Structure or HTML Tree on pages preceeding the first use of the ID in question. Once the ID is found, address it to a variable. There is a decent chance that the ID is not by itself and additional string parsing will be necessary. The follwing example is for a SID that had to be extraced from a JS function call.

LOAD RESPONSE_INFO BODY ON 5 &
INTO VAR_SID &
,WITH "HTML(0)/BODY(1)/FORM(2)/TABLE(4)/TBODY(0)/TR(0)/TD(0)/A(0):ATTRIBUTE:onclick(0)"

SET VAR_STRLEN = ~LENGTH(VAR_SID)
SET VAR_STRLEN = VAR_STRLEN - 2
SET VAR_SID = ~LEFTSTR(VAR_STRLEN, VAR_SID)
SET VAR_SEPPOS = ~LOCATE("','", VAR_SID)
SET VAR_SEPPOS = VAR_SEPPOS + 3
SET VAR_STRLEN = ~LENGTH(VAR_SID)
SET VAR_STRLEN = VAR_STRLEN - VAR_SEPPOS
SET VAR_SID = ~RIGHTSTR(VAR_STRLEN, VAR_SID)

Once the desired ID has been obtained, it can be concatenated into applicable URLs as shown below:

"http://localhost/index.jsp;jsessionid=12345?sid=" + VAR_SID

No comments: