I need to troubleshoot a bug that appears only in production and I'm hoping to use https://goreplay.org/shadowing.html method. It all sounds amazing in theory, but after having thought about it, I'm thinking this attempt will fail.
The application in question uses user sessions, CSRF tokens etc. Wouldn't this make the replay fail? Sessions are CSRF token are designed specifically to make what I'm trying to do fail.
For example let's say I'm replaying real traffic meant for server A into server B:
- Request1A: POST login&user=test&password=pass
- Request1B: POST login&user=test&password=pass
- Response1A: SESSION=1234 (randomly generated)
- Response1B: SESSION=9876 (randomly generated)
- Request2A: GET COOKIE:SESSION=1234
- Request2B: GET COOKIE:SESSION=1234 (Only requests are replayed, so it has no idea that it has to use session 9876 during replay - so it fails)
The problem is that with a stateful application this is a two way street, isn't it? The next request depends on the previous response, I can't just replay it and expect it to work.
Does that mean that shadowing methods only applicable to stateless HTTP APIs? - the article doesn't say anything about such a limitation. Or am I completely misunderstanding all this?
If I do understand correctly, is there a trick to make this work? Or is this designed to be impossible because of the very security measures that make this impossible?
