Review & Validate tab

Scan Configuration > Login Management > Review & Validate tab

When you record a login sequence, AppScan records both the actions and the requests. These are shown on the two sub tabs: Actions and Requests. When replaying the login AppScan attempts (by default) to reproduce the action-based login; if this is unsuccessful it uses the request-based login.

This tab is used to review and edit:
  • Action-based version of the login sequence
  • Request-based version of the login sequence
  • In-Session Detection Request
  • In-Session (or Out-of-Session) Detection Pattern
It is also used to:
  • Validate the current settings
Table 1. "Review & Validate tab" settings



Login Playback

This section appears only if Recorded Login is the selected login method

Login Playback Method

When you record using the built-in browser, AppScan saves two versions of the login sequence you record: one based on the actions you performed, and the other on the HTTP requests actually sent.
  • Action-Based: (Used by default whenever possible:) AppScan will attempt to log in using action-based login, replaying the clicks and keystrokes of the user.
    • Action-based player button Replay: Opens the Action-Based Player and replays the recorded login sequence in its browser.
    • Edit: Opens the Action-Based editor to view and edit details of the login recording.
  • Request-Based: If the first method fails, AppScan will use the request-based version, which re-sends the raw HTTP requests from the login recording.
If a message indicates that one of the methods failed, use the other method.
Note: If you select Action-Based Login and it fails during the scan, AppScan will try Request-Based Login. If that succeeds, the setting here will be changed automatically to Request-Based.
Note: Action-based Login is available only when the built-in browsers is used. If you recorder with an external browser, or an external client, only Request-Based Login is available.

Automatic Login

This section appears only if Automatic Login is the selected login method

Auto-Detect In-Session Configuration button Click for AppScan to perform the following actions:
  • Attempt to log in to the site using the credentials you supplied
  • Identify an In-Session Detection Pattern on the login page (see below)
  • Configure session identifiers (see Session IDs tab

Session Detection

During scanning, AppScan must know at all times whether it is logged into or out of the site, so it can evaluate the site's responses correctly. During the scan, AppScan sends the In-Session Detection Request repeatedly, and checks that the response contains the In-Session Detection Pattern, to verify that it is still logged in. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.

In-Session Detection Request

This is the request used by AppScan to verify that it is still in-session. This request should be one that produces different responses depending on whether or not the user is logged in.

AppScan attempts to identify valid in-session requests, and you can select one of them from the drop-down list. If none are found, or suitable, you can select your own using the Advanced Request Selection button.

Advanced request selection button

This button opens a dialog box in which you can review requests in the login sequence, and select an In-Session Detection Request. For details, see Advanced In-Session Request Selection dialog

In-Session Detection Pattern

(Active only when an In-Session Detection Request is selected:) This field shows a pattern found in the selected In-Session Detection Request, which indicates that the user is in-session (or out-of-session if that option is selected).

The drop-down list lets you select a detection pattern from candidates that AppScan has identified in the Login recording, and the green or red message below the pattern indicates whether the current pattern is valid or invalid.
Note: It is usually preferable to use an in-session pattern. However, in rare cases where the in-session pattern is not always returned following an in-session request, or where it is complicated to define, you can use an out-of-session pattern instead.
If AppScan was unable to identify any valid, or if you need to select a different one, use the Advanced pattern selection button (next row in this table).

RegExp: Select this check box to enter a regular expression for identifying the pattern.

Advanced pattern selection button

(Active only when an In-Session Detection Request is selected:) This button opens the Select Detection Pattern dialog box, showing the content of in-session and out-of-session responses to requests in the Login sequence you recorded (based on the selected detection pattern). It lets you see the selected detection pattern in the context of the response, and define a detection pattern that is not listed in the combo box. The dialog lets you toggle through all recorded responses. In the upper part of the box you can also see the in-session and out-of-session requests that AppScan sent.



(Active only if the current login sequence has not been verified yet:) Click to validate the sequence and the session detection pattern.

Key icon

The key icon indicates In-Session Detection configuration status:

the green key icon Enabled and configured. (An in-session page has been identified in login sequence, either automatically or by the user.)

the orange key icon Enabled but not fully configured.

the red key icon Enabled but not configuration failed.

the gray key icon Disabled.

See Select Detection Pattern dialog box for details.