0

I work for a Canadian government department, and our group uses primarily tools from Microsoft, including Visual Studio. We need to carry out load-testing on one of our department's web applications. I have no prior experience with load-testing, but from what I understand, this would entail creating web performance tests recording various testing scenarios, and then creating load tests pointing to these web performance tests.

One complication is that our application relies on an external authentication service, a service used by other applications (and other departments). Our service agreement with this service provider explicitly stipulates that we not subject the service to load-testing.

So we'll need to find a way to bypass the authentication mechanism to carry-out our load-testing. Here's the outline of one strategy a colleague and I came up with:

  • Log-in normally to the web site, going through the authentication service as normal.
  • Use developer tools installed in the browser to capture the cookie(s) created when authenticating
  • Create a web performance test, and add some code to the web performance test to use the cookie(s), and thereby use the session I had established when logging in manually.

But I'm not entirely confident that this is the right approach. And even if it is - I have no prior experience with creating web performance tests or load tests, so I'm a bit lost as to go about programmatically loading a cookie inside a web performance test.

Does anyone have any suggestions?

MichaelH
  • 1
  • 1
  • Apache JMeter. There's a fine line between load testing and running a distributed denial of service attack on your own servers. Please don't do that to the authentication provider, in any case. – criticalfix Apr 19 '17 at 15:56
  • @criticalfix Yes, that's precisely what we're trying to avoid. The idea we're working with is to login to the authentication provider just once, and use that one session for all the load-testing. – MichaelH Apr 19 '17 at 16:08
  • I hope you are testing your application with the multiple users. In that case, extracting cookie information manually and feeding in the test script is not feasible. One solution I can think of is: disable the authentication layer and directly hit the application. – NaveenKumar Namachivayam Apr 19 '17 at 18:08

2 Answers2

0

I would break down the task into smaller pieces. If your main job is to load test the application, I would set it up on the internal network with Windows authentication or anonymous authentication, and modify the application to avoid having to deal with that part of the problem.

For the authentication piece of the problem, try set it up so a single static cookie will work every time. (If you need thousands of distinct user cookies, this becomes a bigger job, of course.)

See here for a discussion of the Apache JMeter cookie manager.

Community
  • 1
  • 1
criticalfix
  • 2,870
  • 1
  • 19
  • 32
0

I would ask if the authentication could be stubbed out. Instead of calling the 3rd party, call a stub application which will return the equivalent responses. That way, instead of stressing the 3rd party, it's only your (self-hosted) stub that is affected.

This is the opposite of not having a front-end application; in which case a test harness would be required to emulate the front-end. A stub is the equivalent for emulating a back-end application.

Ian Hodgetts
  • 51
  • 1
  • 4