Load Testing with MultiFactor Websites

6 posts, 0 answers
  1. John
    John avatar
    3 posts
    Member since:
    Mar 2011

    Posted 15 Feb 2013 Link to this post

    We have recently started to see how we might be able to utilize the load testing features, and we are running into some issues with our multifactor aspects on the webpage. It uses guids and cookies and when you capture that traffic it doesn't recognize(it doesn't pass the multifactor check) it when you play it back. So all the load tests just hit the login page , then the challenge page over and over, and don't ever reach the main site. Normal tests we are able to bypass it by running a database command to set the challenge code to a known code. We could put code to bypas our multifactor in order to test, but we really don't like that idea. What are some of the approaches that others have used to load test websites with multifactor.
    Thanks
    John
  2. Cody
    Admin
    Cody avatar
    3354 posts

    Posted 18 Feb 2013 Link to this post

    Hi John,

    Please excuse my ignorance but I do not understand what are these "multifactor aspects on the webpage" you speak of. I fully understand what cookies are and how they are generally used. I also understand what a GUID is, but can you please explain how they are being used in your web application?

    Once I understand these details then I'll be able to assist you with getting our load testing feature to work with it.

    Regards,
    Cody
    the Telerik team
    Quickly become an expert in Test Studio, check out our new training sessions!
    Test Studio Trainings
  3. John
    John avatar
    3 posts
    Member since:
    Mar 2011

    Posted 19 Feb 2013 Link to this post

    Multifactor is related to a FDIC guideline for banks and such that you must have multiple pieces of information to verify your identity. Such as a username/password pair and a cellphone. If they haven't logged in from a particular location, or they didn't want to remember the location last time you need to challenge them with this secondary piece of information, which could be a cell phone call,text, or email. The main problem this causes is that for a load test I haven't been able to "fake" a second authentication by sending what was recorded as the authentication code that is delivered by various means changes everytime.
  4. Cody
    Admin
    Cody avatar
    3354 posts

    Posted 19 Feb 2013 Link to this post

    Hi John,

    Here's an idea that may work, depending on how the authentication is performed at the HTTP level of your web application. We support data driving load tests. The data source can be an external file (Excel spreadsheet, XML file, CSV file) or a SQL database. If you can come up with some mechanism whereby the required dynamically changing challenge data (e.g. string or number sent in text message to cell phone) is placed into the data source just prior to running the load test, then the load test can pull the data from your data source, use it in the authentication process and continue on its merry way.

    If you use a SQL data base you could even go so far as to create a stored procedure that automatically runs on a regular basis to maintain the correct value needed by the load test.

    Do you think this approach might work?

    Kind regards,
    Cody
    the Telerik team
    Quickly become an expert in Test Studio, check out our new training sessions!
    Test Studio Trainings
  5. John
    John avatar
    3 posts
    Member since:
    Mar 2011

    Posted 19 Feb 2013 Link to this post

    I could probably do something like your second post, where I set with a sql trigger the challenge info to a known value instead of the random one.
    Can you run a sql script before the load test somehow, like in the coded steps on the regular tests?

  6. Cody
    Admin
    Cody avatar
    3354 posts

    Posted 19 Feb 2013 Link to this post

    Hi John,

    Yes that is possible. If you scroll down to the middle of this page you can see how you can enter your own T-SQL statements i.e. execute your own SQL queries to get the data as part of the test initialization process.

    All the best,
    Cody
    the Telerik team
    Quickly become an expert in Test Studio, check out our new training sessions!
    Test Studio Trainings
Back to Top