Load Testing Authenticated Login Flows

Guide on handling CSRF tokens, sessions, and protected pages with LoadForge using Locust.

LoadForge can record your browser, graphically build tests, scan your site with a wizard and more. Sign up now to run your first test.

Sign up now

Overview

Testing authenticated flows requires obtaining CSRF tokens, logging in with credentials, maintaining session cookies, and accessing protected endpoints. Locust’s HttpUser manages cookies automatically, enabling realistic user simulations.

Locust Test Script (locust.py)

# locust.py
from bs4 import BeautifulSoup
from locust import HttpUser, between, task

class AuthFlowUser(HttpUser):
    wait_time = between(1, 3)
    host = "https://example.com"

    def on_start(self):
        # Load login page to fetch CSRF token
        response = self.client.get("/login", name="Get Login Page")
        soup = BeautifulSoup(response.text, "html.parser")
        token = soup.find("input", {"name": "csrf_token"})["value"]
        # Perform login with CSRF and credentials
        self.client.post(
            "/login",
            name="Perform Login",
            data={"username": "user", "password": "pass", "csrf_token": token}
        )

    @task(3)
    def load_dashboard(self):
        self.client.get("/dashboard", name="Dashboard")

    @task(1)
    def load_profile(self):
        self.client.get("/profile", name="Profile")

Notes:

  • Install dependencies: pip install locust beautifulsoup4.
  • Ensure form field names (csrf_token, username, password) match your application.
Previous Guide

Getting Auth Tokens

Send a login request to get an authorization token for the rest of your test

authentication token
Next Guide

Login Examples

Test that logs in and then requests a profile page.

login auth
View all Authentication & Security guides

Ready to run your test?
LoadForge is cloud-based locust.io testing.

Run free test