Thanks for posting this.... was exactly what I needed :) On Wednesday, 22 June 2011 14:22:52 UTC+5:30, Ivan Uemlianin wrote: > > Dear Malcom > > Thanks very much for your help! You were exactly right. The > following config works (simplified for exposition). > > Best wishes > > Ivan > > <session name='with_csrf' probability='100' type='ts_http'> > > <request> > <dyn_variable name="csrfmiddlewaretoken" ></dyn_variable> > <http url='http://mysite.com/' method='GET'></http> > </request> > > <thinktime random='true' value='6'/> > > <request subst="true"> > <http url='/home/' contents='csrfmiddlewaretoken=% > %_csrfmiddlewaretoken%%&csrfmiddlewaretoken=%%_csrfmiddlewaretoken% > %&username=xxxxxx&password=xxxxxx&next=%2F' > content_type='application/x-www-form-urlencoded' method='POST'></http> > </request> > > </session> > > > On Jun 21, 5:54 pm, Malcolm Box <malcolm....@gmail.com> wrote: > > On 21 June 2011 16:48, Ivan Uemlianin <ivan.llai...@gmail.com> wrote: > > > > > With tsung you record a site visit (called a session) --- log in, view > > > various pages, do a few things, log out --- and tsung will then hit > > > the site with lots of randomised versions of this session. > > > > > Many of the views are csrf protected, and the automated requests tsung > > > generates don't get through the protection. For the moment I'm just > > > commenting out the csrf middleware in settings.py, but this is > > > obviously inconvenient. > > > > I think you'll need to do some work with dyn_variable to pull the csrf > > token out of the original form and re-inject it into the post you send > > back. As far as I understand it, all that the csrf protection is is an > > opaque value hidden in any form that needs to be present in the > > submitted version to be valid. That stops "loose" posts fromCSRF > > attacks working as they don't know the magic key. > > > > Malcolm
-- You received this message because you are subscribed to the Google Groups "Django users" group. To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/zr-NH0Kyka4J. To post to this group, send email to django-users@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
