Record login with a browser

Before you begin

Before you can record a login sequence the Starting URL must be defined in URL and Servers view.

About this task

Recorded Login lets you teach ADAC the procedure for logging in to your site: which links to click, which text to input in forms, and the order in which to do them. As soon as you have recorded this, AppScan will attempt to identify an in-session pattern that it can use in future to verify that it is logged in. Once this is done, AppScan can use the login sequence to log itself back in during the scan, whenever it detects that it has been logged out.

ADAC must know at all times whether it is logged into or out of the site, so it can evaluate the site's responses correctly. During the scan, ADAC sends the In-Session Detection Request repeatedly, and checks that the response contains the In-Session Detection Pattern, to verify that it is still logged in. If ADAC does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.

Procedure

  1. In Login Management > Login tab, select Recorded.
  2. Click the red Record button > Chromium browser
    The browser opens to the Starting URL and begins recording your actions.
    Note: If your website login does not support Chromium, select Internet Explorer instead.

    If you have configured AppScan® to use an external browser for scanning (Options > Use External Browser > Select Browser), you will be given the choice of recording the login with either the AppScan browser or the external browser. If possible it is recommended to use the AppScan browser for the login recording (even if using a different browser for scanning), as it records extra information that improves login success during scanning. If recording the login with the AppScan browser does not work for your application, use the external browser.

    Note: If the Starting URL has not yet been defined you are warned that you must define it before you can proceed (see URL and Servers).
  3. Log in to the site, completing forms and clicking on links as necessary.
    Tip: By default, the page you reach when you have logged in will be used by AppScan as the in-session URL. ADAC sends this URL every few seconds during the scan, to check that it is still logged in. If the page sends a large response, or if it includes tracked parameters or cookies, you can improve scan performance by clicking on one or more additional links until you reach a page with a smaller response (while still logged in) and without tracked parameters or cookies. Then, after you close the browser, go to the Review & Validate tab and select the later page as the "in-session URL".
  4. When you have successfully logged in to the site, click I am logged in to the site.
    ADAC attempts to extract the login information from your login request, for use during scanning.
    Note: Sometimes the login page does not provide enough information, and AppScan may ask you to click an additional step after you are logged in, or to log out of the site.
    Note: If the login mechanism manipulates the login data using JavaScript, a dialog box may open asking you to confirm that the login data ADAC extracted is correct. Fill in or correct the parameters and values as necessary, then click OK.

    The Session Information dialog box opens displaying the login requests you recorded, and the gray key icon changes to the green key icon, indicating that in-session detection is active.

    Note: If the key icon turns red the red key icon, ADAC attempted but was unable to identify any pattern in the in-session page that it can use during scanning to verify that it has not been logged out. If this happens, you need to identify the "in-session pattern" for ADAC, see Select Detection Pattern dialog box for details. In some cases a more specific message may appear, with a link to a page in this Help for troubleshooting the problem, see Login troubleshooting.
  5. To make changes to the recorded sequence (for example to remove unnecessary steps), refer to Review & Validate tab.
    Tip: Generally speaking the URL which logs the user in (and whose response is the first to include an in-session pattern), should be the one marked In-Session. However, sometimes you may want to select a later URL, that also includes the in-session pattern, but which has the advantage of being a smaller page or of not including tracked parameters or cookies. Additionally, sometimes the POST request with the user credentials is the request which logs you in and first contains the in-session pattern, this is a poor choice for the in-session page, since the in-session check would send the credentials each time, leading to a false positive in session response. See Optimizing In-Session Detection
  6. To save the new login sequence, click OK.
    Tip: If you are sure that the in-session page contains no tracked parameters or cookies, you can improve scan performance by changing the Advanced Configuration > Session Managment: Parse in-session page setting to "False". See Advanced Configuration.