Authorization on site by using requests

Can anyone show a working example of authorization on a site using requests, cookies and csrf validation?

Site on Laravel

1st action - HTTP Request (GET)

Options: Response → Include Response Headers and Status +

2nd action - HTML Extract

Extraction Values:
CSS Selector: meta[name=“token”], Return Value: Attribute, Attribute: content

3rd action - HTTP Request (POST)

Send Headers: Header Parameters
Name: Cookie, Value: {{ $node[“HTTP Request”].json[“headers”][“set-cookie”] }}

Send Body: Body Parameters
Name: _token, Value: {{$node[“HTML Extract”].json[“data”]}}
Name: username, Value: admin
Name: password, Value: password

Options: Redirects
Follow Redirects +


The site is loading as if a Get request has been completed

Is it possible to send a cookie POST request header without the extra data received from the GET request? (expires=xx, xx-Nov-2022 11:11:11 GMT; Max Age=7200; path=/)
Or does it not matter?
Filling in manually still doesn’t work.

Authorization works like this in Postman.
Only works if you use automatically added cookie headers. If you delete cookies in Postman and add your own exactly the same header, then it does not work.

Hi @Smied, welcome to the community :tada:

This is a bit tricky and the correct format would depend on the exact site. It shouldn’t be impossible though. Perhaps you can share a few additional details on the page you’re looking? Which step exactly are you struggling with and how does the data you currently have look like?

Using variables (Expression) = CSRF token mismatch.
(CSS selector pulls the correct token)

Entering cookies and token manually = Just the page is loaded as with a GET request (the token is again indicated in the page code but new).

Demo for example → BookStack

If you log in to the site without csrf protection, then everything works.