Login method

Configuration > Login management > Login method.

Define how AppScan® logs in to your application and if necessary record the login procedure.

AppScan can automatically detect login requests and fills in the username and password parameters. If your application has a non-standard login sequence of actions, you can record these actions for AppScan to use.

Setting

Details

Select Login Method

Recorded (Recommended)

(Default method) Select this method to open the browser and record a login sequence (both HTTP requests and user actions are recorded). AppScan® will use this sequence whenever it needs to login to the application.

Record login is used to record the sequence. Options are:
  • AppScan Chromium browser (default)
  • AppScan IE browser
  • External browser (if installed)
  • External client >
    • Postman
    • SoapUI
    • Other
Note: In the case of Recorded and Automatic login, if the site or service uses one-time passwords (OTP), you must click the Configure OTP link and configure this before you record the login.

For web applications, see Record login with a browser

For web services, see Record login with an external client

Automatic Login

Select this method to let AppScan® automatically detect the login form of your application and use the username and password you supply. (This method can be less reliable than the Recorded Login method.)

Prompt

Select this method if login requires human interaction each time (such as Two-Factor Authentication, One-Time Passwords, or CAPCHA).

Note that when you select this option:
  • You must record a login sequence. This is to provide AppScan® with an in-session page that it can later use to verify that it is logged-in. For details see Record login with a browser
  • It is recommended to disable the setting: Configuration > Test options > Send tests on logout pages, otherwise you will get too many login prompts.

None

Select this option if the application does not require users to log in.

Login Validation Status Indicator

Status indicator
Indicates the status of In-Session Detection:
  • Green: Enabled and configured. (An in-session page has been identified in login sequence, either automatically or by the user.)
  • Yellow: Enabled but not fully configured.
  • Red: Enabled but not configuration failed.
  • Gray: Disabled.

See Select Detection Pattern dialog box for details.

Import or Export Login Settings

Import

When you record a login sequence it is saved as part of the scan. If you save the scan as a template, the login sequence is saved as part of the template.

To import a login sequence that was previously saved as a *.login file, click the Import button.

Export

To export the login sequence by itself, to use in future scans, click the Export button. The sequence is saved as a *.login file.