Thanks very much for your help! You were exactly right. The
following config works (simplified for exposition).
Best wishes
Ivan
<session name='with_csrf' probability='100' type='ts_http'>
<request>
<dyn_variable name="csrfmiddlewaretoken" ></dyn_variable>
<http url='http://mysite.com/' method='GET'></http>
</request>
<thinktime random='true' value='6'/>
<request subst="true">
<http url='/home/' contents='csrfmiddlewaretoken=%
%_csrfmiddlewaretoken%%&csrfmiddlewaretoken=%%_csrfmiddlewaretoken%
%&username=xxxxxx&password=xxxxxx&next=%2F'
content_type='application/x-www-form-urlencoded' method='POST'></http>
</request>
</session>
On Jun 21, 5:54 pm, Malcolm Box <malcolm....@gmail.com> wrote:
> On 21 June 2011 16:48, Ivan Uemlianin <ivan.llai...@gmail.com> wrote:
>
> > With tsung you record a site visit (called a session) --- log in, view
> > various pages, do a few things, log out --- and tsung will then hit
> > the site with lots of randomised versions of this session.
>
> > Many of the views are csrf protected, and the automated requests tsung
> > generates don't get through the protection. For the moment I'm just
> > commenting out the csrf middleware in settings.py, but this is
> > obviously inconvenient.
>
> I think you'll need to do some work with dyn_variable to pull the csrf
> token out of the original form and re-inject it into the post you send
> back. As far as I understand it, all that the csrf protection is is an
> opaque value hidden in any form that needs to be present in the
> submitted version to be valid. That stops "loose" posts fromCSRF
> attacks working as they don't know the magic key.
>
> Malcolm
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
No comments:
Post a Comment