Identifying in-session pages
Using in-session detection, the scan can detect whether or not it has been logged out of an application it is attempting to test. An in-session pattern is a pattern identified in a page, such as a logout link, that the scan can use to verify that it is still logged in. During a recorded login sequence, the scan identifies an in-session page. If this is not the page you want to use for in-session detection, you can change it.
About this task
The scan will poll the application periodically during the automatic explore and test phases to see if it can reach an in-session page and determine if that page is still in session. If the page is out-of-session (for example, a response to request is a redirect to the login page or to a customized error page, or a specified in-session pattern is missing), it will do one of the following:
- If an out-of-session state is detected in the explore phase, the scan will stop all of its threads, re-login, check its in-session state, and then re-explore all the pages since the last point a valid session state was confirmed. If a page is causing the out-of-session, that page will be logged, and the scan will continue. If it is unable to login, the job will be suspended.
- If an out-of-session state is detected in the test phase, the scan will stop all of its
testing threads, re-login, check its in-session state, and then rerun all the tests since the last
point a valid session state was confirmed.
- If a test causes the scan to be out-of-session, that test will be logged, and the scan will continue.
- If a security test causes the scan to be out-of-session, the security attack will be logged, and the scan will continue.
- If an out-of-session state is detected during issue retest (and in-session detection was enabled on the original scan), the scan will follow the same procedure as an out-of-session detection state detected during the test phase. If that test now causes an out-of-session state, the test will be logged and the issue retest will be incomplete.
- Login to AppScan Enterprise application.
- Go to Administration > General Settings > Global Extended Properties.
- Create a new Property with name LoginVerification with value set to 1 or true.
Procedure
- Go to the Login Management page of the content scan job.
- In the list of URLs, select the page you want to use as the in-session page and click In-session.
- In the Activate in-session detection section of the page, select the Activate in-session detection check box.
- Edit the regular expression used as the in-session pattern field, click Update to update the pattern, and click Save.