Request-based login troubleshooting

If the In-Session Detection Pattern shown in the Details tab does not correctly identify in-session status, you can select a different pattern using the Requests sequence.


  1. In Scan Configuration > Login Management > Details > Requests, select the URL marked In-Session (highlighted in green), then click the Select button at the bottom of the dialog box, to choose a different pattern.

    The browser opens and you can select a new pattern either in the browser or the response body tab. Then close the browser and click Validate.

  2. If you cannot identify an in-session pattern on the final page, do the following:
    1. Select the request above the request you just looked at
    2. Double-click on it and check that it does not contain the login credentials
    3. If it does not, click Select, and try identify a different pattern
  3. If you do not find an in-session pattern, repeat the previous step for the next request up. You can repeat this as necessary, until you reach a request that contains the login credentials.
  4. If you are unable to identify an in-session pattern in any of these pages, and there are one or more URLs listed after the In-Session page, use the same procedure to look for an in-session pattern on that page.
  5. If there are no extra URLs, try recording the login sequence again, but click one extra link after you are logged in, preferably a personalized setting, and look for an in-session pattern on that page.
  6. If this fails, try selecting an out-of-session pattern:
    1. Select the URL that was originally marked as the In-Session request
    2. Open a browser (outside AppScan) and send this request on its own (not preceded by the rest of the login sequence)
    3. Compare the two responses, and try to identify an expression in the body of the response from Step B that does not exist in the in-session page (such as "You are not logged in")
      Note: If the request redirects a different page, you cannot use the response you see in the browser, but need to use the response to the actual request, which can be done using a sniffer
    4. At the bottom of the Details tab click the In-Session drop-down button and select Out-of-session, and then paste the pattern you identified into the Detection Pattern field

What to do next