The CSRF Token is something you might encounter on most e-commerce sites. For this reason, we receive a lot of questions about exceeding this token within a JMeter script. CSRF token usually changes multiple times in an end-to-end flow. The token you get in first visit is going to be different from the token you need to use after you login. So here is how to extract it using multiple post processors.

Here is my request flow:

CSRF Token 1

We are getting our first CSRF Token from our login page html with CSS selector.

It is declared as an input value so we can use a CSS selector to extract it. Let’s test it first.

CSRF Token 3

It seems to be working.

CSRF Token 4

Then we make a post request using this CSRF Token to login.

CSRF Token 5

We are being redirected to main page as a logged in user.

We need to use CSRF token again for adding products to cart and checkout process. You can see /cart/add service parameters as example below.

CSRF Token 6

This time, CSRF Token is mentioned in <script></script> section as a code line. Now we need to use boundary extractor to get it from the line.

CSRF Token 7
CSRF Token 8

Now we are a logged in user as long as we use ${CSRFToken} as parameter in other requests.

I also want to show you another form that we can come across even though it is not included in our flow.

Some services may return the token with a JSON object in response. Then we can type a JSON Path Expression to extract the value. For example:

CSRF Token 9

It seems to work. Now we can create a JSON Extractor.

CSRF Token 10

To keep learning and staying up to date, keep in touch with Loadium blog posts all the time. Happy load testing with Loadium!