Review & Validate tab
Scan Configuration > Login Management > Review & Validate tab
When you record a login sequence, AppScan records both the actions and the requests. These are shown on the two sub tabs: Actions and Requests. When replaying the login AppScan attempts (by default) to reproduce the action-based login; if this is unsuccessful it uses the request-based login.
- Action-based version of the login sequence
- Request-based version of the login sequence
- In-Session Detection Request
- In-Session (or Out-of-Session) Detection Pattern
- Validate the current settings
Setting |
Details |
|
---|---|---|
Login Playback |
This section appears only if Recorded Login is the selected login method |
|
Login Playback Method |
When you record using the built-in browser, AppScan saves two versions of the login sequence you
record: one based on the actions you performed, and the other on
the HTTP requests actually sent.
Note: If you select Action-Based Login and it
fails during the scan, AppScan will try Request-Based Login.
If that succeeds, the setting here will be changed
automatically to Request-Based. Note: Action-based
Login is available only when the built-in browsers is used.
If you recorder with an external browser, or an external
client, only Request-Based Login is available. |
|
Automatic Login |
This section appears only if Automatic Login is the selected login method |
|
Auto-Detect In-Session Configuration button | Click for AppScan to perform the following actions:
|
|
Session Detection |
During scanning, AppScan must know at all times whether it is logged into or out of the site, so it can evaluate the site's responses correctly. During the scan, AppScan sends the In-Session Detection Request repeatedly, and checks that the response contains the In-Session Detection Pattern, to verify that it is still logged in. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly. |
|
In-Session Detection Request |
This is the request used by AppScan to verify that it is still in-session. This request should be one that produces different responses depending on whether or not the user is logged in. AppScan attempts to identify valid in-session requests, and you can select one of them from the drop-down list. If none are found, or suitable, you can select your own using the Advanced Request Selection button. |
|
Advanced request selection button |
This button opens a dialog box in which you can review requests in the login sequence, and select an In-Session Detection Request. For details, see Advanced In-Session Request Selection dialog |
|
In-Session Detection Pattern |
(Active only when an In-Session Detection Request is selected:) This field shows a pattern found in the selected In-Session Detection Request, which indicates that the user is in-session (or out-of-session if that option is selected). The drop-down list lets you select a detection pattern from candidates that AppScan has
identified in the Login recording, and the green or red message below the pattern indicates whether
the current pattern is valid or invalid.
Note: It is usually preferable to use an in-session
pattern. However, in rare cases where the in-session pattern is not always returned following an
in-session request, or where it is complicated to define, you can use an out-of-session
pattern instead. If AppScan was unable to identify any valid, or if you need to select a
different one, use the Advanced pattern selection button (next row in this table).RegExp: Select this check box to enter a regular expression for identifying the pattern. |
|
Advanced pattern selection button |
(Active only when an In-Session Detection Request is selected:) This button opens the Select Detection Pattern dialog box, showing the content of in-session and out-of-session responses to requests in the Login sequence you recorded (based on the selected detection pattern). It lets you see the selected detection pattern in the context of the response, and define a detection pattern that is not listed in the combo box. The dialog lets you toggle through all recorded responses. In the upper part of the box you can also see the in-session and out-of-session requests that AppScan sent. |
|
Validation |
||
Validate button |
(Active only if the current login sequence has not been verified yet:) Click to validate the sequence and the session detection pattern. | |
Key icon |
The key icon indicates In-Session Detection configuration status: Enabled and configured. (An in-session page has been identified in login sequence, either automatically or by the user.) Enabled but not fully configured. Enabled but not configuration failed. Disabled. See Select Detection Pattern dialog box for details. |