Identifying in-session pages

Using in-session detection, the scan can detect whether or not it has been logged out of an application it is attempting to test. An in-session pattern is a pattern identified in a page, such as a logout link, that the scan can use to verify that it is still logged in. During a recorded login sequence, the scan identifies an in-session page. If this is not the page you want to use for in-session detection, you can change it.

About this task

If you identify a page that is part of the recorded login sequence, all pages following the selected in-session page will be marked as part of the Explore phase; the in-session page must be part of the manual explore sequence after you login. Use the In-session status icon to see if you have correctly set up in-session detection for the scan. A message accompanies each icon with an update and possible remediation tasks.
Learn more about insession pages:

The scan will poll the application periodically during the automatic explore and test phases to see if it can reach an in-session page and determine if that page is still in session. If the page is out-of-session (for example, a response to request is a redirect to the login page or to a customized error page, or a specified in-session pattern is missing), it will do one of the following:

  • If an out-of-session state is detected in the explore phase, the scan will stop all of its threads, re-login, check its in-session state, and then re-explore all the pages since the last point a valid session state was confirmed. If a page is causing the out-of-session, that page will be logged, and the scan will continue. If it is unable to login, the job will be suspended.
  • If an out-of-session state is detected in the test phase, the scan will stop all of its testing threads, re-login, check its in-session state, and then rerun all the tests since the last point a valid session state was confirmed.
    • If a test causes the scan to be out-of-session, that test will be logged, and the scan will continue.
    • If a security test causes the scan to be out-of-session, the security attack will be logged, and the scan will continue.
  • If an out-of-session state is detected during issue retest (and in-session detection was enabled on the original scan), the scan will follow the same procedure as an out-of-session detection state detected during the test phase. If that test now causes an out-of-session state, the test will be logged and the issue retest will be incomplete.

Procedure

  1. Go to the Login Management page of the content scan job.
  2. In the list of URLs, select the page you want to use as the in-session page and click In-session.
  3. In the Activate in-session detection section of the page, select the Activate in-session detection check box.
  4. Edit the regular expression used as the in-session pattern field, click Update to update the pattern, and click Save.

What to do next

Identifying the logout page