Session IDs

If the site uses time-restricted session IDs (in the form of cookies or parameters), the site will reject requests that contain expired tokens; causing the site tests to fail.

Therefore, ADAC must be able to recognize and handle the HTML parameters or cookies that are time-restricted session IDs. ADAC will assign session IDs the most recent value available, thus preventing the application session from expiring.

You can determine whether ADAC should automatically update the value of a session ID. Set the Status of a session ID:

  • Login Value: (Recommended) When sending a test request containing this parameter, ADAC automatically updates the session ID with the value received from the application after successful login.

    This status is recommended for most parameters and cookies, unless there is a specific need to set a specific value. However, when Login Value session IDs are used, the value might expire while it is in the database.
    Note: If your record login steps as part of a Multi-Step Operation, defining a received parameter as Login Value will not affect how it is used. It will always be treated as Dynamic. For details see Multi-Step Operations.

    To update a tracked session ID in the database: Just before running the scan, visit the URL where the session ID is sent. A new session ID will be sent, with an updated value.

  • Dynamic: ADAC automatically updates the session ID value during the Test stage, according to new values set by the web application in prior tests (for example, as with Shadow Cookies).

    Select Dynamic only if you know that your web application enforces security measures that demand that a specific session ID be updated during certain usage procedures.

  • Fixed: Retains a fixed value. Set a fixed value for a session ID if your web application security needs this session ID to always have this value.

Note: A parameter in a Multi-Step Operation is always treated as Dynamic, even if defined as a Login Value.

During the Explore stage, ADAC automatically detects cookies and HTML parameters that are likely to be session IDs and adds them to a list. You can manually add the cookie and parameters that you know to be session IDs when you configure the scan.