Micro Focus Expert
Micro Focus Expert

(UFT) Support tip: How to handle cookie-based authentication between REST calls from API testing?

For this example, I'll use ALM REST API.
Let's keep it simple: our goal will be to get all requirements for a specific project. For this, we require making two calls:

  • Call #1: here we will authenticate into ALM using basic authentication. If we are able to successfully authenticate, ALM will return a session cookie that we can, later on, use to make other calls.
  • Call #2: using the mentioned session cookie, we will request our ALM server to return all requirements

Now, let's go step by step:

  1. From Toolbox > Network, I'll drag and drop the two HTTP request activities I need for this task and I'll rename them so it's easier to identify what they do. In parenthesis we have the step ID which is the name we'll use from the code:
  2. As mentioned before, our first call (HTTP Request4) will perform the authentication. For this, we require sending an Authorization header indicating that we're using Basic authentication and our credentials should be expressed in base64 encoding. Our raw request should look like this (captured using Fiddler😞
    GET http://myALMServer:8080/qcbin/authentication-point/authenticate HTTP/1.1
    Authorization: Basic QWx2YXJvOm15UGFzc3dvcmQ=
    Host: myALMServer:8080
    Proxy-Connection: Keep-Alive
  3. From UFT side, the activity settings looks like this:
    Note: as mentioned, for basic authentication we require encoding to base64 our credentials string (which use this format: user:password). For this, we can create custom code or we can manually encode our string using any online service like this one.
  4. Here is the raw response we get from ALM:
    HTTP/1.1 200 OK
    Date: Tue, 30 Jan 2018 18:35:47 GMT
    X-Content-Type-Options: nosniff
    Pragma: no-cache
    X-XSS-protection: 1; mode=block
    Content-Length: 0
    Cache-Control: no-cache, max-age=0, proxy-revalidate
    Proxy-Connection: Keep-Alive
    Connection: Keep-Alive
    Set-Cookie: LWSSO_COOKIE_KEY=yCTSq6Vdaxqg3mpnAsfmXuoBU2Atoopo_LOPuAltMd_U86hdh
    As you can see, we received a "Set-Cookie" response header. This header contains the cookie value that we should pass over to ALM as request header to get the desired information in our following request.
  5. For this exercise, I'd like to save the cookie value in a test input parameter so I can link any other activities to this value when needed. To create this input parameter, from the test flow diagram, click on Start and then go to the Test Input/Output Parameters tab and click on Add…
  6. Now, in order to save the cookie value we got from our first call, we need to iterate through all the response headers, locate Set-Cookie response header and save its value into "cookie" input parameter that we just created. This should be done through coding:
    1. Select the HTTP Request used for the authentication (our first call)
    2. In the Properties pane, select the Events tab
    3. In the Events tab, in the AfterExecuteStepEvent row, click the down arrow and select Create a default handler
    4. A separate tab, titled TestUserCode.cs, opens in the document pane, and a section of code is added to this file for the AfterExecuteStepEvent section.
    5. In the TestUserCode.cs tab, find the TODO: Add your code here... section under the HTTPActivity4_OnAfterExecuteStepEvent portion of the code.
    6. Delete the //TODO: Add your code here… string and insert the below code: 
      string header = "", cookieValue = ""; 
      for(int i = 0; i<HTTPActivity4.ResponseHeaders.Length;i++){
          header = HTTPActivity4.ResponseHeaders.GetValue(i).ToString();
          if(string.Compare(header.Substring(1,10),"Set-Cookie") == 0)
              cookieValue = header.Substring(12, header.Length - 13); 
      this.Context.ExecutionInputParameters.SetParameterValue("cookie", cookieValue);
      The ResponseHeaders object returns the header value in this format:
      [header, headerValue]
      The above code will search for Set-Cookie header, extract just its value (the green text) and store it in the input parameter created in step
  7. At this point, we just need to configure our second call to get all requirements. For this:


Micro Focus Support

Labels (1)
4 Replies
Valued Contributor.
Valued Contributor.

Re: (UFT) Support tip: How to handle cookie-based authentication between REST calls from API testing

cookie in the request header seems not to be enough. i still have the 401.

Problem accessing /qcbin/rest/domains/mydomain/projects/myproject/defects

Error 401 Authentication failed. Browser based integrations - to login append '?login-form-required=y' to the url you tried to access.

it woutd be greate if you would hav a hint


Valued Contributor.
Valued Contributor.

Re: (UFT) Support tip: How to handle cookie-based authentication between REST calls from API testing

got it

you have to create a session and you have to pass the sso cookie and the session cookie combined in the request header.


cut the QCSession cookie out of the response and combine it  QCSessionCookie+"; "+LWSSOCookie

put the combined string in the request header




New Member.

Re: (UFT) Support tip: How to handle cookie-based authentication between REST calls from API testing


This is the closest post that I found related to my need. 

In SOAP UI I can add a 0Auth 1.0 or 2.0 authorization by creating a POST method into a New Reosurce and sending a JSON request like this: 


When I execute the post I can get a token like this into the response: 

Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJ1c2VycnRkbSIsImV4cCI6MTUzOTM0NzU1OH0.od2JaabchFsskilXoJpOJmWAV7HSTuuacbk2UIqeQmuSSLeqa78kGzp_smOumDc6XfRTQzQ16K_M5SdQPecYMA

I really don´t know how to do the same in UFT in order to get the token. Can you please help me?


Trusted Contributor.
Trusted Contributor.

Re: (UFT) Support tip: How to handle cookie-based authentication between REST calls from API testing


I believe the way proposed in this post can exactly solve your question. 

Basically you need 2 activities, the first to query for the token and the second to take the token as an input.

The trick here is that when you receive the token, it comes within the response body. At this point you need to add either a post-event handler for the first activity or a pre-event handler for the second one, in which you need to select the field you need with the code provided.

Please let us know if you have further questions.



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.