Session IDs

If the site uses time-restricted session IDs (in the form of cookies or parameters), the site will reject requests that contain expired tokens; causing the site tests to fail.

Therefore, AppScan must be able to recognize and handle the HTML parameters or cookies that are time-restricted session IDs. AppScan will assign session IDs the most recent value available, thus preventing the application session from expiring.

You can determine whether AppScan should automatically update the value of a session ID. Set the Status of a session ID:

  • Login Value: (Recommended) When sending a test request containing this parameter, AppScan automatically updates the session ID with the last value received from the application before the In-Session request.
    Tip: To track the parameter in the In-Session response, you must set its type to Dynamic Value, not Login Value, and verify that Scan Configuration > Advanced Configuration > Session Management: Parse in-session page is set to True (which is the default setting).
    This status is recommended for most parameters and cookies, unless there is a specific need to set a specific value. However, when Login Value session IDs are used, the value might expire while it is in the database.
    Note: If your record login steps as part of a Multi-Step Sequence, defining a received parameter as Login Value will not affect how it is used. It will always be treated as Dynamic Value. For details see Multi-Step Operations view.

    To update a tracked session ID in the database: Just before running the scan, visit the URL where the session ID is sent. A new session ID will be sent, with an updated value.

  • Dynamic Value: AppScan automatically updates the session ID value during the Test stage, according to new values set by the web application in prior tests (for example, as with Shadow Cookies).

    Select Dynamic only if you know that your web application enforces security measures that demand that a specific session ID be updated during certain usage procedures.

  • Fixed Value: Retains a fixed value. Set a fixed value for a session ID if your web application security needs this session ID to always have this value.

During the Explore stage, AppScan automatically detects cookies and HTML parameters that are likely to be session IDs and adds them to a list. You can manually add the cookie and parameters that you know to be session IDs when you configure the scan.