Session detection

Configure session detection so AppScan can verify login status during scans by selecting an In-Session Detection Request and defining an in-session (or out-of-session) detection pattern. Use advanced dialogs to review the recorded login sequence, set the in-session request, choose or define patterns (regular expressions supported), and validate or troubleshoot with Revalidate and Run login analyze.

Table 1. Advanced options
Setting	Details
Login Playback	This section appears only if Recorded Login is the selected login method
Login Playback Method	When you record using the built-in browser, AppScan saves two versions of the login sequence you record: one based on the actions you performed, and the other on the HTTP requests actually sent. Action-Based: (Used by default whenever possible:) AppScan will attempt to log in using action-based login, replaying the clicks and keystrokes of the user. Replay recording: Opens the Action-Based Player and replays the recorded login sequence in its browser. Edit playback: Opens the Action-Based editor to view and edit details of the login recording. Request-Based: If the first method fails, AppScan will use the request-based version, which re-sends the raw HTTP requests from the login recording. Edit playback: Opens the Request-Based editor to view and edit details of the login recording. If a message indicates that one of the methods failed, use the other method. Note: If you select Action-Based Login and it fails during the scan, AppScan will try Request-Based Login. If that succeeds, the setting here will be changed automatically to Request-Based. Note: Action-based Login is available only when the built-in browsers is used. If you recorder with an external browser, or an external client, only Request-Based Login is available.
Automatic Login	This section appears only if Automatic Login is the selected login method
Analyze automatic login configuration > Analyze	Click for AppScan to perform the following actions: Attempt to log in to the site using the credentials you supplied Identify an In-Session Detection Pattern on the login page (see below) Configure session identifiers (see Login session IDs
Session Detection	During scanning, AppScan must know at all times whether it is logged into or out of the site, so it can evaluate the site's responses correctly. During the scan, AppScan sends the In-Session Detection Request repeatedly, and checks that the response contains the In-Session Detection Pattern, to verify that it is still logged in. If AppScan does not find the pattern in the page's response, AppScan assumes it has been logged out, and attempts to log in again by replaying the login sequence. It follows that the login sequence is typically played many times during a scan. It is therefore best that it contains as few steps as possible. It is also helpful if the In-Session page is a small page, and does not contain tracked parameters or cookies, since these can also increase scan time significantly.
In-Session Detection Request	This is the request used by AppScan to verify that it is still in-session. This request should be one that produces different responses depending on whether or not the user is logged in. AppScan attempts to identify valid in-session requests, and you can select one of them from the drop-down list. If none are found, or suitable, you can select your own using the Advanced Request Selection button.
Advanced request selection button	This button opens a dialog box in which you can review requests in the login sequence, and select an In-Session Detection Request. For details, see Session detection.
In-Session Detection Pattern	(Active only when an In-Session Detection Request is selected:) This field shows a pattern found in the selected In-Session Detection Request, which indicates that the user is in-session (or out-of-session if that option is selected). The drop-down list lets you select a detection pattern from candidates that AppScan has identified in the Login recording, and the green or red message below the pattern indicates whether the current pattern is valid or invalid. Note: It is usually preferable to use an in-session pattern. However, in rare cases where the in-session pattern is not always returned following an in-session request, or where it is complicated to define, you can use an out-of-session pattern instead. If AppScan was unable to identify any valid, or if you need to select a different one, use the Advanced pattern selection button (next row in this table). RegExp: Select this check box to enter a regular expression for identifying the pattern. See Select Detection Pattern dialog box for details.
Advanced pattern selection button	(Active only when an In-Session Detection Request is selected:) This button opens the Select Detection Pattern dialog box, showing the content of in-session and out-of-session responses to requests in the Login sequence you recorded (based on the selected detection pattern). It lets you see the selected detection pattern in the context of the response, and define a detection pattern that is not listed in the combo box. The dialog lets you toggle through all recorded responses. In the upper part of the box you can also see the in-session and out-of-session requests that AppScan sent.
Validation
Revalidate	Active only if the current login sequence has been verified. Click to revalidate the sequence and the session detection pattern.
Run login analyze	Active only when a login has been recorded but the in-session detection configuration is missing or incorrect. It allows the system to use the recorded login to analyze and attempt to identify the correct configuration. If the configuration is valid, the "Revalidate" link is shown as usual. This feature is particularly useful for troubleshooting, enabling users to adjust the recorded login sequence and find the in-session detection configuration without needing to record the login again.

Advanced request selection

Advanced In-Session Request Selection dialog box, that opens from Configuration > Login management > Advanced options > Session dectection > Advanced request selection.

This is a version of the Edit Request-Based Login dialog box with more options. In this dialog box you can:

See the sequence of requests you sent when logging in
See the In-Session Detection Request
Note: The page marked "In-Session" should be the first page to be highlighted. If an earlier, "Login", page is highlighted then either the in-session pattern is wrong, or the wrong page is marked as "In-Session".
View any URL in the sequence in a browser.
Set a different request as the In-Session Request, and select a new In-Session Detection Pattern from this new request.
Delete unnecessary requests before the "In-session" URL, to save AppScan repeating these unnecessary requests many times during a scan
See requests sent after the In-Session Detection Request, that contain the In-Session Detection Pattern and are marked "Ignore"
Search the requests in the sequence
Show only requests from specific domains
Open the Select Detection Pattern dialog box to select a pattern not suggested by AppScan

Table 2. "Advanced In-Session Request Selection" settings
Setting	Details
Main list	Shows all requests the recorded login procedure.
Find	Show only requests that contain the text string you enter, in URL, Request, Response or All.
Show Domains	Show only requests from domains selected in the drop-down list. Click for AppScan to perform the following actions:
Set as In-Session Request button	Sets the selected request as the In-Session Request, that will be used by AppScan during the scan to verify that it is still logged in. You can also do this by right-clicking on a request in the list.
Advanced pattern selection button	Opens the Select Detection Pattern dialog box, showing the content of in-session and out-of-session responses to requests in the Login sequence you recorded (based on the selected detection pattern). It lets you see the selected detection pattern in the context of the response, and define a detection pattern that is not listed in the combo box. The dialog lets you toggle through all recorded responses. In the upper part of the box you can also see the in-session and out-of-session requests that AppScan sent. You can also do this by right-clicking on a request in the list.
	Show the response received to the selected request when the login was recorded. The window that opens has two tabs: The Browser tab shows the response received, and the Request/Response tab shows the raw data for both the request and the response.
	Delete the selected request from the login sequence.
Detection Pattern	This field shows a pattern found in the selected In-Session Detection Request, which indicates that the user is in-session (or out-of-session if that option is selected). The drop-down list lets you select a detection pattern from candidates that AppScan has identified in the Login recording, and the green or red shading indicates whether the pattern is valid or invalid. Note: It is usually preferable to use an in-session pattern. However, in rare cases where the in-session pattern is not always returned following an in-session request, or where it is complicated to define, you can use an out-of-session pattern instead.. If AppScan was unable to identify any valid pattern, or if you need to select a different one, use the Advanced pattern selection button to select your own.