Can JMeter cookie manager override cookies set by the application?

Question

I am testing an application that requires a user to authenticate, and then uses a cookie to track the user session. If authentication fails, a cookie is set that identifies the session as belonging to an unidentified user.

Unfortunately, authentication is via Kerberos or NTLM, which cannot be done in JMeter 2.8. My plan is therefore as follows:

1. Log into website with Internet Explorer.
2. Copy cookie that identifies session out of IE and into JMeter cookie manager as a user-defined cookie.
3. Use JMeter to test application

Essentially, this is session hijacking.

What I am observing is that (1) the JMeter cookie manager does not seem to be supplying the cookie to the application in the first request, (2) after the first request the application sends a different cookie back to JMeter, and (3) subsequent requests use the application-defined cookie, not the one I supplied.

So my questions are:

1. Is the approach described plausible, in theory at least?
2. Do application-defined cookies always override user-defined cookies?
3. Why might the cookie manager be not sending my user-defined cookie?

Thanks in advance.

Answer 1

Try using JMeter nightly build, it has been reported recently that it worked with NTLM after upgrade of httpclient libraries.

• http://jmeter.apache.org/nightly.html

You approach seems really weird to me and I don't think it will work or even if it does be realistic.