Advanced In-Session Request Selection dialog

Advanced In-Session Request Selection dialog box, that opens from Scan Configuration > Login > Review & Validate > Advanced Request Selection

This is a version of the Edit Request-Based Login dialog box with more options. In this dialog box you can:
  • See the sequence of requests you sent when logging in
  • See the In-Session Detection Request
    Note: The page marked "In-Session" should be the first page to be highlighted. If an earlier, "Login", page is highlighted then either the in-session pattern is wrong, or the wrong page is marked as "In-Session".
  • View any URL in the sequence in a browser.
  • Set a different request as the In-Session Request, and select a new In-Session Detection Pattern from this new request.
  • Delete unnecessary requests before the "In-session" URL, to save AppScan repeating these unnecessary requests many times during a scan
  • See requests sent after the In-Session Detection Request, that contain the In-Session Detection Pattern and are marked "Ignore"
  • Search the requests in the sequence
  • Show only requests from specific domains
  • Open the Select Detection Pattern dialog box to select a pattern not suggested by AppScan
Table 1. "Advanced In-Session Request Selection" settings

Setting

Details

Main list

Shows all requests the recorded login procedure.

Find

Show only requests that contain the text string you enter, in URL, Request, Response or All.

Show Domains

Show only requests from domains selected in the drop-down list.

Click for AppScan to perform the following actions:

Set as In-Session Request button

Sets the selected request as the In-Session Request, that will be used by AppScan during the scan to verify that it is still logged in.

You can also do this by right-clicking on a request in the list.

Advanced pattern selection button

Opens the Select Detection Pattern dialog box, showing the content of in-session and out-of-session responses to requests in the Login sequence you recorded (based on the selected detection pattern). It lets you see the selected detection pattern in the context of the response, and define a detection pattern that is not listed in the combo box. The dialog lets you toggle through all recorded responses. In the upper part of the box you can also see the in-session and out-of-session requests that AppScan sent.

You can also do this by right-clicking on a request in the list.

the Show in browser button

Show the response received to the selected request when the login was recorded. The window that opens has two tabs: The Browser tab shows the response received, and the Request/Response tab shows the raw data for both the request and the response.

the minus button

Delete the selected request from the login sequence.

Detection Pattern

This field shows a pattern found in the selected In-Session Detection Request, which indicates that the user is in-session (or out-of-session if that option is selected).

The drop-down list lets you select a detection pattern from candidates that AppScan has identified in the Login recording, and the green or red shading indicates whether the pattern is valid or invalid.
Note: It is usually preferable to use an in-session pattern. However, in rare cases where the in-session pattern is not always returned following an in-session request, or where it is complicated to define, you can use an out-of-session pattern instead..
If AppScan was unable to identify any valid pattern, or if you need to select a different one, use the Advanced pattern selection button to select your own.