Optimizing In-Session Detection

Reviewing the login sequence can help troubleshoot and optimize in-session detection.

About this task

AppScan attempts to identify automatically an "In-Session Detection Pattern" that occurs on the in-session page, that it can use during the scan to verify that it is still logged in. This should be a pattern that occurs in the page's response only when you are logged in. An example might be text that reads: "Click here to log out".

During the scan, AppScan sends the in-session request repeatedly, and checks that the response contains the In-Session Detection Pattern. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.

When the defined in-session pattern is detected in the in-session request, (the request immediately following the POST request), it is highlighted in green.


  1. Verify that the In-Session Detection Pattern that was automatically selected is in fact an indication that the user is logged in. If necessary, change it.
  2. Verify that there are no unnecessary steps in the login procedure. If there are, delete them.
  3. Verify that the in-session response is not a large one, and - if possible - does not include tracked parameters or cookies. If necessary, add one or more steps till you reach a smaller page or one without tracked items.
  4. If you succeeded in selecting an in-session page without tracked parameters or cookies, there is no need for AppScan to check for these each time it logs in. Go to Advanced Configuration > Session Management: Parse In-Session Page, and change the setting to False.
  5. If none of these succeed, you can try to identify an out-of-session pattern instead, and then change the detection method.