Knowledgebase

Correlating Tokens and Dynamic Data


Background

Scripting examples on how to correlate dynamic data in your test script. Correlation is often required when using the Chrome Extension or HAR converter to generate your test script. This is due to the fact that those tools will capture session IDs, CSRF tokens, VIEWSTATE, wpnonce, and other dynamic values from your specific session. These tokens typically expire very quickly. This is one of the most common things that users will script for when testing user journeys across websites or web apps.


Correlation

In a load testing scenario, correlation means extracting one or more values from the response of one request and then reusing them in subsequent requests. Often times this could be getting a token or some sort of ID necessary to fulfill a sequence of steps in a user journey.

The browser recording will for example capture things like CSRF tokens, VIEWSTATES, nonce, etc. from your session. This type of data is likely to no longer be valid when you run your test, meaning you’ll need to handle the extraction of this data from the HTML/form to include it in subsequent requests. This issue is fairly common with any site that has forms and can be handled with a little bit of scripting.

Extracting values/tokens from JSON response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import http from "k6/http";
import { check } from "k6";

export default function() {
    // Make a request that returns some JSON data
    let res = http.get("https://httpbin.org/json");

    // Extract data from that JSON data by first parsing it
    // using a call to "json()" and then accessing properties by
    // navigating the JSON data as a JS object with dot notation.
    let slide1 = res.json().slideshow.slides[0];
    check(slide1, {
        "slide 1 has correct title": (s) => s.title === "Wake up to WonderWidgets!",
        "slide 1 has correct type": (s) => s.type === "all"
    });

    // Now we could use the "slide1" variable in subsequent requests...
}

Relevant k6 APIs:

Extracting values/tokens from form fields

There are primarily two different ways you can choose from when deciding how to handle form submissions. Either you use the higher-level Response.submitForm([params]) API or you extract necessary hidden fields etc. and build a request yourself and then send it using the appropriate http.* family of APIs, like http.post(url, [body], [params]).

Extracting .NET ViewStates, CSRF tokens and other hidden input fields

Method 1 using the k6 HTML parsing and query APIs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import http from "k6/http";
import {sleep} from "k6";

export default function() {

    // Request the page containing a form and save the response. This gives you access
    //to the response object, `res`.
    let res = http.get("https://test.loadimpact.com/my_messages.php", {"responseType": "text"});

    // Query the HTML for an input field named "redir". We want the value or "redir"
    let elem = res.html().find('input[name=redir]');

    // Get the value of the attribute "value" and save it to a variable
    let val = elem.attr('value');

    // Now you can concatenate this extracted value in subsequent requests that require it.
    ...
    // console.log() works when executing k6 scripts locally and is handy for debugging purposes
    console.log("The value of the hidden field redir is: " + val);

    sleep(1);
}

Note: Take note if discardResponseBodies is set to true in the options section of your script. If it is, you can either make it false or save the response per request with {"responseType": "text"} as shown in the example.

Relevant k6 APIs: