Dear Malcom Thanks very much for your help! You were exactly right. The following config works (simplified for exposition).
Best wishes Ivan <session name='with_csrf' probability='100' type='ts_http'> <request> <dyn_variable name="csrfmiddlewaretoken" ></dyn_variable> <http url='http://mysite.com/' method='GET'></http> </request> <thinktime random='true' value='6'/> <request subst="true"> <http url='/home/' contents='csrfmiddlewaretoken=% %_csrfmiddlewaretoken%%&csrfmiddlewaretoken=%%_csrfmiddlewaretoken% %&username=xxxxxx&password=xxxxxx&next=%2F' content_type='application/x-www-form-urlencoded' method='POST'></http> </request> </session> On Jun 21, 5:54 pm, Malcolm Box <malcolm....@gmail.com> wrote: > On 21 June 2011 16:48, Ivan Uemlianin <ivan.llai...@gmail.com> wrote: > > > With tsung you record a site visit (called a session) --- log in, view > > various pages, do a few things, log out --- and tsung will then hit > > the site with lots of randomised versions of this session. > > > Many of the views are csrf protected, and the automated requests tsung > > generates don't get through the protection. For the moment I'm just > > commenting out the csrf middleware in settings.py, but this is > > obviously inconvenient. > > I think you'll need to do some work with dyn_variable to pull the csrf > token out of the original form and re-inject it into the post you send > back. As far as I understand it, all that the csrf protection is is an > opaque value hidden in any form that needs to be present in the > submitted version to be valid. That stops "loose" posts fromCSRF > attacks working as they don't know the magic key. > > Malcolm -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
