Monday, 5 July 2010

Correlating Session ID

HTTP is a stateless protocol which means that the web server is not keeping track of client (most of the times web browser) activities. Using just HTTP protocol alone user would have to enter authentication data upon each page request as the protocol defines no way of distinguishing between requests. The most common way of dealing with that problem is to append a unique identifier to each request so that web server can relate all requests with the specific id to a unique user.

This technique is called session management. There are three most commonly used ways of maintaining session id between requests:

  • Cookies
  • URL rewrite
  • Hidden fields
Each time a web browser connects to web application without sending session id (usually upon the first access of the application) a web server will assign a new session id to that browser.

In most cases a web browser will maintain session id until the web browser is closed which needs to be replicated in a WebTest. Depending on the way the web session is maintained by the web application some manual work might be required.

From performance test point of view cookies are usually the easiest to deal with. VSTS (as well as many other tools) will automatically extract cookies sent by the web application and use those in subsequent requests.

In most of the cases no scripting action is required to correlate cookies.

URL rewrite
URL rewrite is a session management technique which doesn’t relay on cookies support (as this can be occasionally switched off due to security constrains).

With URL rewrite session id will be appended to the URL. Recorded session id will have to be replaced with the dynamically assigned session id returned by the server.

This process of extracting value from one request and then using it in another is often referred to as correlating performance scripts.

URL rewrite URL can look similar to this:;jsessionid=76489BF47E98F1

Hidden fields
Another technique of maintaining web session is to embed hidden field with session id within a web form.

Similarly to URL rewrite session id will have to be extracted from the first server response where it appears and then original/hardcoded session id needs to be replaced with the dynamically extracted value.

In most of the cases correlation of the session id and other dynamic parameters can be done following the same process although it is good to have knowledge of their distinct types and purposes they serve.

For the full guide to developing VSTS WebTests please refer to the Using Fiddler with VSTS.

1 comment: