Login tab

Scan Configuration > Login Management > Login tab.

The Login Management view of the Scan Configuration dialog box is used to define how AppScan® logs in to your application, and how it can recognize when it gets logged out.

AppScan can automatically detect login requests and fills in the username and password parameters. If your application has a non-standard login sequence of actions, you can record these actions for AppScan to use.



Select Login Method

Recorded (Recommended)

(Default method) Select this method to open the browser and record a login sequence (both HTTP requests and user actions are recorded). AppScan® will use this sequence whenever it needs to login to the application.

the red Record button is used to record the sequence. Options are:
  • AppScan Chromium browser (default)
  • AppScan IE browser
  • External browser (if installed)
  • External client >
    • Postman
    • SoapUI
    • Other
Note: In the case of Recorded and Automatic login, if the site or service uses one-time passwords (OTP), you must click the Configure OTP link and configure this before you record the login.

For web applications, see Record login with a browser

For web services, see Record login with an external client

Automatic Login

Select this method to let AppScan® automatically detect the login form of your application and use the username and password you supply. (This method can be less reliable than the Recorded Login method.)


Select this method if login requires human interaction each time (such as Two-Factor Authentication, One-Time Passwords, or CAPCHA).

Note that when you select this option:
  • You must record a login sequence. This is to provide AppScan® with an in-session page that it can later use to verify that it is logged-in. For details see Record login with a browser
  • It is recommended to disable the setting: Configuration > Test options > Send tests on logout pages, otherwise you will get too many login prompts.


Select this option if the application does not require users to log in.

Login Validation Status Indicator

Key icon

The key icon indicates the status of In-Session Detection:

the green key icon Enabled and configured. (An in-session page has been identified in login sequence, either automatically or by the user.)

the orange key icon Enabled but not fully configured.

the red key icon Enabled but not configuration failed.

the gray key icon Disabled.

See Select Detection Pattern dialog box for details.

Import or Export Login Settings


When you record a login sequence it is saved as part of the scan. If you save the scan as a template, the login sequence is saved as part of the template.

To import a login sequence that was previously saved as a *.login file, click the Import button.


To export the login sequence by itself, to use in future scans, click the Export button. The sequence is saved as a *.login file.