Log In and Log Out

Applies to ReadyAPI 3.51, last modified on March 04, 2024

Although the session security handling is common for most web applications, it is not regular practice when it comes to web services. This topic describes how to create tests that check whether your service behaves properly on multiple logins.

Base test

The most common security flaw is allowing a user to gain access to the service using the same user ID multiple times. To test your service’s behavior in that case, do the following:

  1. Perform a standard login procedure.

  2. Perform a standard login procedure once again using the same user ID.

After that, identify potential security problems in the response message and then fix them.

Complex test

Now, let’s develop the scenario and make the test more complex. For example, create another test using the following algorithm:

  1. Login.

  2. Logout.

  3. Login.

  4. Logout.

  5. Login.

  6. Login.

Although it is unlikely that the result differs from the previous test, you should do this test to make sure everything works well.

You can enhance the test by making longer chains of logins and logouts to find possible problems and unusual behavior. You can also use correct, expired, and wrong session IDs.

Correct ID

This test is a basic one. Use it as a control test:

  • Login:

    <login>
        <username>smartbear</username>
        <password> ReaDyAP1R0ck5</password>
    </login>

  • Response:

    <loginResponse>
        <sessionid>0646305218268376</sessionid>
    </loginResponse>

  • New request:

    <getcustomer>
        <sessionid>0646305218268376</sessionid>
        <customerid>vipcustomers_ 23957</ customerid >
    </getcustomer>

To transfer the session ID from the login response to the getcustomer request, use the following code:

<getcustomer>
    <sessionid>${Request: Login#Response#//sam:loginResponse[1]/sessionid[1]}</sessionid>
    <customerid>vipcustomers_ 23957</ customerid >
</getcustomer>

Expired session ID

To improve your test, add the getcustomer request after logging out.

  • Login:

    <login>
        <username>smartbear</username>
        <password> ReaDyAP1R0ck5</password>
    </login>

  • Response:

    <loginResponse>
        <sessionid>0646305218268376</sessionid>
    </loginResponse>

  • Logout:

    <logout>
        <sessionid>0646305218268376</sessionid>
    </logout>

  • After-logout request:

    <getcustomer>
        <sessionid>0646305218268376</sessionid>
        <customerid>vipcustomers_ 23957</ customerid >
    </getcustomer>

  • Request with the expired ID:

    <getcustomer>
        <sessionid>0646305218268376</sessionid>
        <customerid>vipcustomers_ 23957</ customerid >
    </getcustomer>

Wrong session ID

During this test, use the getcustomer request with a wrong ID right after logging out.

  • Login:

    <login>
        <username>smartbear</username>
        <password> ReaDyAP1R0ck5</password>
    </login>

  • Response:

    <p>&lt;login&gt;<br/>
    &nbsp;&nbsp;&nbsp;&nbsp;&lt;username&gt;smartbear&lt;/username&gt;<br/>
    &nbsp;&nbsp;&nbsp;&nbsp;&lt;password&gt; ReaDyAP1R0ck5&lt;/password&gt;<br/>
    &lt;/login&gt;</p>

  • Logout:

    <logout>
        <sessionid>0646305218268376</sessionid>
    </logout>

  • Request with a non-existing ID:

    <getcustomer>
        <sessionid>456464564654645</sessionid>
        <customerid>vipcustomers_ 23957</ customerid >
    </getcustomer>

The latter request should cause an error message.

To further develop these tests, try different unexpected variations.

See Also

Sample Login Tests

Highlight search results