Identifying in-session pages

Using in-session detection, the scan can detect whether or not it has been logged out of an application it is attempting to test. An in-session pattern is a pattern identified in a page, such as a logout link, that the scan can use to verify that it is still logged in. During a recorded login sequence, the scan identifies an in-session page. If this is not the page you want to use for in-session detection, you can change it.

About this task

If you identify a page that is part of the recorded login sequence, all pages following the selected in-session page will be marked as part of the Explore phase; the in-session page must be part of the manual explore sequence after you login. Use the In-session status icon to see if you have correctly set up in-session detection for the scan. A message accompanies each icon with an update and possible remediation tasks.
Learn more about insession pages:

The scan will poll the application periodically during the automatic explore and test phases to see if it can reach an in-session page and determine if that page is still in session. If the page is out-of-session (for example, a response to request is a redirect to the login page or to a customized error page, or a specified in-session pattern is missing), it will do one of the following:

  • If an out-of-session state is detected in the explore phase, the scan will stop all of its threads, re-login, check its in-session state, and then re-explore all the pages since the last point a valid session state was confirmed. If a page is causing the out-of-session, that page will be logged, and the scan will continue. If it is unable to login, the job will be suspended.
  • If an out-of-session state is detected in the test phase, the scan will stop all of its testing threads, re-login, check its in-session state, and then rerun all the tests since the last point a valid session state was confirmed.
    • If a test causes the scan to be out-of-session, that test will be logged, and the scan will continue.
    • If a security test causes the scan to be out-of-session, the security attack will be logged, and the scan will continue.
  • If an out-of-session state is detected during issue retest (and in-session detection was enabled on the original scan), the scan will follow the same procedure as an out-of-session detection state detected during the test phase. If that test now causes an out-of-session state, the test will be logged and the issue retest will be incomplete.
Early detection of Login failure due to out-of-session:
Early detection of out-of-session support is added from AppScan Enterprise 10.0.5 onwards. This feature can be used in case the detection of out-of-session is needed before entering into explore phase. To enable early detection of out-of-session, follow the below steps:
  1. Login to AppScan Enterprise application.
  2. Go to Administration > General Settings > Global Extended Properties.
  3. Create a new Property with name LoginVerification with value set to 1 or true.

Procedure

  1. Go to the Login Management page of the content scan job.
  2. In the list of URLs, select the page you want to use as the in-session page and click In-session.
  3. In the Activate in-session detection section of the page, select the Activate in-session detection check box.
  4. Edit the regular expression used as the in-session pattern field, click Update to update the pattern, and click Save.

What to do next

Identifying the logout page