Login troubleshooting
Tips for troubleshooting session detection problems in Scan Configuration > Login Management view.
When you close the browser after recording the login procedure, the green key icon confirms that AppScan has detected an in-session pattern that can be used during scanning to verify its in-session status. If one of the other icons appears instead, AppScan may not have enough information to log in to the site during scanning.
Scan Configuration > Login Management records the login sequence in two ways: as actions and as requests. As long as one of these two methods succeeds, AppScan will be able to lo in to the site. The table below can help you troubleshoot in cases where both methods have failed.
Icon |
Message |
Possible user actions |
---|---|---|
Using action-based login Action-based login: Succeeded Request-based login: Succeeded |
No action necessary. Action-based login will be used, and request-based login will be available as a fallback method. |
|
Using action-based login Action-based login: Succeeded Request-based login: Failed |
No action necessary. Action-based login will be used. To troubleshoot the request-based sequence, see Request-based login troubleshooting |
|
Using request-based login Action-based login: Failed Request-based login: Succeeded |
No action necessary. Although action-based login is the preferred method, since request-based login succeeded, that version will be used. To troubleshoot the action-based
sequence, see Action-based login troubleshooting Note: If one of the login pages is very slow, it may be more practical
to use request-based login as many logins are typically required during
a scan. |
|
Login not yet recorded |
Either click and record a login or, if login is not required, in the Login/Logout tab > Login method, select None to disable session detection. |
|
Login not yet validated |
If changes have been made to one of the sequences, you must click the Validate button to validate the new login sequence. |
|
In-Session Detection Pattern not defined |
First try recording the login again, but this time after you are logged in, click an additional link, before closing the login recorder. The extra link should be to a page whose response will include data or links that are available only when users are in-session. This may enable AppScan to automatically identify a valid pattern. If this does not work, define an in-session pattern yourself. For details see Select Detection Pattern dialog box |
|
Session request same as login request |
Generally, the login sequence should end immediately when AppScan is logged in to the application. However, in rare cases, the in-session request also contains the login request (with username and password). In such cases, whenever AppScan replays the in-session request (to verify that it is logged in) it will actually log itself in, and therefore be unable to detect when it is logged out. The solution is to record the login sequence and when logged in, to click another link on the page. The login sequence will now have an extra step. As long as this new request does not include the credentials, AppScan will be able to use the sequence to verify when it is logged out, and the key icon will change to green. |
|
Session page redirects |
If the page selected as the first in-session
page redirects to another page, it is likely that the in-session pattern
selected by AppScan is incorrect.
|
|
Session page not identified |
In the Request tab, open the final page of
the login sequence, look for a pattern (either in the Browser tab
or the Request/Response tab) that is unique to logged-in users
(such as a "log out" link), and select that as the in-session pattern.
|
|
Session detection disabled |
No action necessary. Session detection can be enabled by selecting one of the three Login methods: Recorded, Prompt, or Automatic. |