Unanswered question

How to test AJAX which needs the session authenticated?

We have a web application implemented with Spring Framework. An scenario is:
1. a user logs in,
2. she fills out a form, then click on a button to create an order. The click will fire an AJAX like this:
http://SERVER/createOrder

The AJAX response contains the order's ID (ORDER_ID).

3. Then the page is populated with another form for more details about the order. When the user fill the new form, she click on a save button, which is another AJAX call to server like:
http://SERVER/saveOrder/ORDER_ID

My questions are:
1. when I run the validation, http://SERVER/createOrder AJAX call is redirected to login page, it seems it is not authenticated. How can I make sure this AJAX uses the session's authentication?

2. Let's assume I could pass step one with your help, how can I get the ORDER_ID from the AJAX response and use it for the second AJAX call (http://SERVER/saveOrder/ORDER_ID)? The first AJAX call returns a JSON like
{"id":"12345"}

Thank you!

sam S.
sam S.

sam S.

Level
0
14 / 100
points

Answers

Nouredine A.
Nouredine A.

Nouredine A.

Level
4
5000 / 5000
points
Team

Your first issue seems to be related to some dynamic parameters related to the user session that were not handled i.e correlated.

Regarding the second question you just need to create a variable extractor on the createOrder request to grab the order_id from the server response. it will be stored in a NeoLoad variable that you can use in the saveOrder request.

For both issues i would suggest you to look at the Neotys academy here where you can find some courses related to dynamic data and variable extractor feature.

sam S.
sam S.

sam S.

Level
0
14 / 100
points

For step 1, I found that:
1. if I disable CSRF in the web app, the AJAX post request will go through.
2. if I enable CSRF, then extract the csrf token from login page, and use it in AJAX post's request header (X-CSRF-TOKEN), it still cannot go through. (Using Chrome's dev tool, I check the log in page and AJAX POST request header, they do have same csrf token.)

Am I missing something here? Why setting X-CSRF-TOKEN is not enough?

Thanks!