Login troubleshooting

Tips for troubleshooting session detection problems in Scan Configuration > Login Management view.

When you close the browser after recording the login procedure, the green key icon confirms that AppScan has detected an in-session pattern that can be used during scanning to verify its in-session status. If one of the other icons appears instead, AppScan may not have enough information to log in to the site during scanning.

Scan Configuration > Login Management records the login sequence in two ways: as actions and as requests. As long as one of these two methods succeeds, AppScan will be able to lo in to the site. The table below can help you troubleshoot in cases where both methods have failed.

The following table summarizes messages and possible user troubleshooting actions.

Icon

Message

Possible user actions

the green key icon

Using action-based login

Action-based login: Succeeded

Request-based login: Succeeded

No action necessary. Action-based login will be used, and request-based login will be available as a fallback method.

the green key icon

Using action-based login

Action-based login: Succeeded

Request-based login: Failed

No action necessary. Action-based login will be used.

To troubleshoot the request-based sequence, see Request-based login troubleshooting

the green key icon

Using request-based login

Action-based login: Failed

Request-based login: Succeeded

No action necessary. Although action-based login is the preferred method, since request-based login succeeded, that version will be used.

To troubleshoot the action-based sequence, see Action-based login troubleshooting
Note: If one of the login pages is very slow, it may be more practical to use request-based login as many logins are typically required during a scan.

the orange key icon

Login not yet recorded

Either click the Record button and record a login or, if login is not required, in the Login/Logout tab > Login method, select None to disable session detection.


the orange key icon

Login not yet validated

If changes have been made to one of the sequences, you must click the Validate button to validate the new login sequence.

the red key icon

In-Session Detection Pattern not defined

First try recording the login again, but this time after you are logged in, click an additional link, before closing the login recorder. The extra link should be to a page whose response will include data or links that are available only when users are in-session. This may enable AppScan to automatically identify a valid pattern.

If this does not work, define an in-session pattern yourself. For details see Select Detection Pattern dialog box

the red key icon

Session request same as login request

Generally, the login sequence should end immediately when AppScan is logged in to the application. However, in rare cases, the in-session request also contains the login request (with username and password). In such cases, whenever AppScan replays the in-session request (to verify that it is logged in) it will actually log itself in, and therefore be unable to detect when it is logged out.

The solution is to record the login sequence and when logged in, to click another link on the page. The login sequence will now have an extra step. As long as this new request does not include the credentials, AppScan will be able to use the sequence to verify when it is logged out, and the key icon will change to green.

the red key icon

Session page redirects

If the page selected as the first in-session page redirects to another page, it is likely that the in-session pattern selected by AppScan is incorrect.
  • Verify that the current In-Session Detection Pattern does indicate in-session status
  • If you are unsure, try adding the redirect page as an extra step in the request-based login sequence

the red key icon

Session page not identified

In the Request tab, open the final page of the login sequence, look for a pattern (either in the Browser tab or the Request/Response tab) that is unique to logged-in users (such as a "log out" link), and select that as the in-session pattern.
the gray key icon

Session detection disabled

No action necessary.

Session detection can be enabled by selecting one of the three Login methods: Recorded, Prompt, or Automatic.