Record login with a browser

Before you begin

To record a login sequence for an application, the Starting URL must be defined (either in Configuration > URL and Server view or in the wizard). If you are using an external client to send requests to the application, a Starting URL is not needed, but AppScan will define a Starting URL for itself after the Explore stage is complete.

About this task

Recording a Login with a browser lets you teach AppScan® which links to click, which text to input in forms, and the order in which to do them:, so it can log in during the scan. When you have logged in, AppScan identifies an in-session pattern that it can use in future to verify that it is still logged in.

During scanning, AppScan must know at all times whether it is logged into or out of the site, so it can evaluate the site's responses correctly. During the scan, AppScan sends the In-Session Detection Request repeatedly, and checks that the response contains the In-Session Detection Pattern, to verify that it is still logged in. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.

To record the login:


  1. In Scan Configuration > Login Management > Login tab, select the Recorded radio button.
  2. Click the red Record button > External client > and then select the browser you will use to log in:
    AppScan Chromium browser The built-in Chromium browser is the default and recommended browser.
    AppScan IE browser Select this only for cases where this specific browser is needed.
    External browser Active only if you have configured AppScan® to use an external browser for scanning (Tools > Options > Use External Browser > Select Browser).

    If possible it is better to use the AppScan Chromium browser, as it records extra information that improves login success during scanning. Use the external browser only if recording the login with the AppScan browsers does not work for your application.

    The browser opens to the Starting URL and begins recording your actions.
    • If the Starting URL has not yet been defined you are warned that you must define it before you can proceed (see URL and Servers view).
    • If a login procedure has previously been recorded, you are warned that the new recording will overwrite the existing one.
  3. Log in to the site:
    Log in to the site, completing forms and clicking on links as necessary till you are logged in.
    Tip: By default, the page you reach when you have logged in will be used by AppScan as the in-session URL. AppScan sends this URL every few seconds during the scan, to check that it is still logged in. If the page sends a large response, or if it includes tracked parameters or cookies, you can improve scan performance by clicking on one or more additional links until you reach a page with a smaller response (while still logged in) and without tracked parameters or cookies. Then, after you close the browser, go to the Review & Validate tab and select the later page as the "In-Session URL".
  4. When you have successfully logged in to the site:
    Click I am logged in to the site
    Note: Sometimes the login page does not provide enough information, and AppScan may ask you to click an additional step after you are logged in, or to log out of the site.

    The browser closes and AppScan® extracts the login information for use during scanning.

    The Session Information dialog box opens displaying the login requests you recorded, and the gray key icon changes to the green key icon, indicating that in-session detection is active.

    Note: If the key icon turns red the red key icon, AppScan® attempted but was unable to identify any pattern in the in-session page that it can use during scanning to verify that it has not been logged out. If this happens, you need to identify the "in-session pattern" for AppScan®, see Select Detection Pattern dialog box for details. In some cases a more specific message may appear, with a link to a page in this Help for troubleshooting the problem, see Login troubleshooting.
  5. To make changes to the recorded sequence (for example to remove unnecessary steps), refer to Review & Validate tab.
    Tip: Generally speaking the URL which logs the user in (and whose response is the first to include an in-session pattern), should be the one marked In-Session. However, sometimes you may want to select a later URL, that also includes the in-session pattern, but which has the advantage of being a smaller page or of not including tracked parameters or cookies. Additionally, sometimes the POST request with the user credentials is the request which logs you in and first contains the in-session pattern, this is a poor choice for the in-session page, since the in-session check would send the credentials each time, leading to a false positive in session response. See Optimizing In-Session Detection
  6. To save the new login sequence, click OK.
    Tip: If you are sure that the in-session page contains no tracked parameters or cookies, you can improve scan performance by changing the Advanced Configuration > Session Managment: Parse in-session page setting to "False". See Advanced Configuration view.