[Server-devel] Populating the Moodle db with users

[Ben T]

Thanks for the pointer!!  I just found the file --
/var/www/moodle/web/lib/moodlelib.php
changed  confirm_sesskey() to return true

Just ran my JMeter script with 5 threads and they all posted to the forum at
the same time, each with its own random string =D

I'll be sure to add my scripts to moodle.org when I'm done with them.

Thx!
Ben

On Wed, Apr 21, 2010 at 6:03 PM, Martin Langhoff
<martin.langhoff at gmail.com>wrote:

> On Wed, Apr 21, 2010 at 8:25 PM, Ben T <benjtran at gmail.com> wrote:
> > I've started on the JMeter scripts but got stuck when I try to have a
> thread
> ...
> > issue ---- 'Incorrect sesskey submitted, form not accepted!'
>
> Well, yeah, sounds right. Moodle has an XSS protection to make it
> difficult for bots or malicious sw to do this kind of thing.
>
> I am pretty sure that I've posted in a thread related to this (where
> also tim hunt was posting) mentioning that the trick is to gut the
> check_sesskey() function to always return true (instead of performing
> the validation).
>
> If recent moodles don't have it as an option (disable sesskey checks
> for load testing / automated testing) then you should submit a patch
> ;-)
>
> > checked the HTTP request that JMeter sends to the server and it does have
> > the session key that I extracted from the response header after loading
> > login/index.php
>
> Yep - but it gets re-seeded in every login. So jmeter should be a tad
> smarter to read the appropriate sesskey for every "client" it runs.
>
>
>
> m
> --
>  martin.langhoff at gmail.com
>  martin at laptop.org -- School Server Architect
>  - ask interesting questions
>  - don't get distracted with shiny stuff  - working code first
>  - http://wiki.laptop.org/go/User:Martinlanghoff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20100502/ab544e91/attachment.htm