"Invalid redirect to the same request" error upon 302 Redirect with Set-Cookie header

[Pascal Davoust]

Hi again,

Upgrading to 3.4.2 from 2.3.x spawns a new error in our Gatling scenarii:

Invalid redirect to the same request

This looks like the result of https://github.com/gatling/gatling/issues/3480 , which is implemented by https://github.com/gatling/gatling/blob/3.4/gatling-http/src/main/scala/io/gatling/http/engine/response/RedirectProcessor.scala

As far as I can tell, the error should occur only when the requested URI equals the target redirect URI with same method and same set of cookies.

The app is indeed responding with a redirect to the same URI, but with a different cookie: the 302 response does contain a Set-Cookie with a different value.
This happens during the logout process, which is a quite common pattern: session invalidation occurs server-side and a new session id is generated, leading to setting the new session id as a cookie in the 302 response.

It looks like the Set-Cookie from the 302 response is disregarded...

Here is the HTTP dump from Gatling:

gatling.http.cookies -> CookieJar(Map(CookieKey(jsessionid,redact.host,/app) -> StoredCookie(JSESSIONID=4F49E96F2E86A78A2F507053811945A3, path=/app, HTTPOnly, SameSite=Lax,true,false,1607528569673)))
=========================

HTTP request:
GET http://redacted.host:8080/app/login/login.action
headers=
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
referer: <redacted>
cookie: JSESSIONID=F0C5B71B32D1B58D37435407E68A1FD1
host: redacted.host
cookies=JSESSIONID=4F49E96F2E86A78A2F507053811945A3, path=/app, HTTPOnly, SameSite=Lax

=========================

HTTP response:

status=302 

headers=
Cache-Control: must-revalidate, no-cache, no-store, proxy-revalidate

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Pragma: no-cache

Set-Cookie: JSESSIONID=F0C5B71B32D1B58D37435407E68A1FD1; Path=/app; HttpOnly; SameSite=Lax

Location: /app/login/login.action

Content-Length: 0

Date: Wed, 09 Dec 2020 15:43:14 GMT

As you can see,  the trace shows the Set-Cookie from the response, but the same cookie value also appears in the request (bold red above). This is just not possible, because the cookie value in the response is generated during the processing of the request, which can therefore not contain the same value (or there is a huge flaw in the session id generation algorithm :-) ).
The cookie jar from the session dump (bold green) has indeed a different value, which is different from the logged request content.

Any clue about what's happening?

Regards

Pascal D

[Stéphane LANDELLE]

From https://groups.google.com/g/gatling:

• Provide a Short, Self Contained, Correct (Compilable), Example (see http://sscce.org/)

Stéphane Landelle Chief Technical Officer twitter: @slandelle site: gatling.io

--
You received this message because you are subscribed to the Google Groups "Gatling User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gatling+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gatling/6c1d1d78-d0ee-4b48-b61b-1e40054f692bn%40googlegroups.com.

[Pascal Davoust]

From https://groups.google.com/g/gatling:

• Provide a Short, Self Contained, Correct (Compilable), Example (see http://sscce.org/)

Fair enough, here you go.

File nginx.conf:

--------------

user  nginx;

worker_processes  auto;

error_log  /var/log/nginx/error.log warn;

pid        /var/run/nginx.pid;

events {

    worker_connections  1024;

}

http {

    include       /etc/nginx/mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    server {

        location /page1.html {

            root /usr/share/nginx/html;

            if ($cookie_JSESSIONID != "1111111111111") {

                add_header Set-Cookie JSESSIONID=1111111111111;

                return 302 $scheme://$http_host/page1.html;

            }

        }

        location /page2.html {

            root /usr/share/nginx/html;

            add_header Set-Cookie JSESSIONID=2222222222222;

        }

    }

}

--------------

File page1.html:

--------------

<!DOCTYPE html>

<html lang="en">

  <head>

    <meta charset="utf-8">

    <title>Page 1</title>

  </head>

  <body>

    <h1>Page 1</h1>

    Goto <a href="page2.html">Page 2</a>

  </body>

</html>

--------------

File page2.html:

--------------

<!DOCTYPE html>

<html lang="en">

  <head>

    <meta charset="utf-8">

    <title>Page 2</title>

  </head>

  <body>

    <h1>Page 2</h1>

    Goto <a href="page1.html">Page 1</a>

  </body>

</html>

--------------

File Redirect.scala:

--------------

import io.gatling.core.scenario.Simulation

import io.gatling.core.Predef._

import io.gatling.http.Predef._

class Redirect extends Simulation {

  val httpProtocol = http

    .baseUrl("http://localhost:8080")

  val scn = scenario("Redirect")

  .exec(http("page1").get("/page1.html"))

  .exec(http("page2").get("/page2.html"))

  .exec(http("page1again").get("/page1.html"))

  setUp(scn.inject(atOnceUsers(1)).protocols(httpProtocol))

}

--------------

Instructions:

Drop these files into a work directory.

Run the nginx container using:

pathtofiles=/path/to/your/workdir

docker run -it --rm --name nginx \

  -v $pathtofiles/page1.html:/usr/share/nginx/html/page1.html:ro \

  -v $pathtofiles/page2.html:/usr/share/nginx/html/page2.html:ro \

  -v $pathtofiles/nginx.conf:/etc/nginx/nginx.conf:ro \

  -p 8080:80 \

  nginx:1.19.5-alpine

Hit http://localhost:8080/page1.html, then go to page2 and then back to page 1 - check network logs from your browser, note how cookies are set and when.

Now run the provided Redirect scenario - you'll get:

================================================================================
2020-12-09 17:48:45                                           0s elapsed
---- Requests ------------------------------------------------------------------
> Global                                                   (OK=3      KO=1     )
> page1                                                    (OK=1      KO=0     )
> page1 Redirect 1                                         (OK=1      KO=0     )
> page2                                                    (OK=1      KO=0     )
> page1again                                               (OK=0      KO=1     )
---- Errors --------------------------------------------------------------------
> Invalid redirect to the same request                                1 (100.0%)

---- Redirect ------------------------------------------------------------------
[##########################################################################]100%
          waiting: 0      / active: 0      / done: 1     
================================================================================

Regards

Pascal D

[Stéphane LANDELLE]

Thanks!

Fixed: https://github.com/gatling/gatling/issues/4028

Stéphane Landelle Chief Technical Officer twitter: @slandelle site: gatling.io

--

You received this message because you are subscribed to the Google Groups "Gatling User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gatling+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gatling/c0955de5-3ce2-4200-813e-bb22fd7b634bn%40googlegroups.com.

[Pascal Davoust]

Thanks a ton. :-)

As usual... any foreseen date for the 2.5.0 release? ;-)

Or any way to work around this problem in the meanwhile?

Rgds

Pascal D

[Stéphane LANDELLE]

Planned for Monday along with FrontLine 1.13.0

Stéphane Landelle Chief Technical Officer twitter: @slandelle site: gatling.io

To view this discussion on the web visit https://groups.google.com/d/msgid/gatling/a515d04f-fe08-4053-a86f-6b8038e9dc6dn%40googlegroups.com.

[Pascal Davoust]

Wow, that's fast!

You rock, guys. (Y)