Request-based login troubleshooting
If the In-Session Detection Pattern shown in the Details tab does not correctly identify in-session status, you can select a different pattern using the Requests sequence.
Procedure
-
In Scan Configuration > Login Management > Details > Requests, select
the URL marked In-Session (highlighted in green), then click the Select
button at the bottom of the dialog box, to choose a different pattern.
The browser opens and you can select a new pattern either in the browser or the response body tab. Then close the browser and click Validate.
- If you cannot identify an in-session pattern on the final
page, do the following:
- Select the request above the request you just looked at
- Double-click on it and check that it does not contain the login credentials
- If it does not, click Select, and try identify a different pattern
- If you do not find an in-session pattern, repeat the previous step for the next request up. You can repeat this as necessary, until you reach a request that contains the login credentials.
- If you are unable to identify an in-session pattern in any of these pages, and there are one or more URLs listed after the In-Session page, use the same procedure to look for an in-session pattern on that page.
- If there are no extra URLs, try recording the login sequence again, but click one extra link after you are logged in, preferably a personalized setting, and look for an in-session pattern on that page.
- If this fails, try selecting an out-of-session pattern:
- Select the URL that was originally marked as the In-Session request
- Open a browser (outside AppScan) and send this request on its own (not preceded by the rest of the login sequence)
- Compare the two responses, and try to identify an expression in
the body of the response from Step B that does not exist in the in-session
page (such as "You are not logged in")Note: If the request redirects a different page, you cannot use the response you see in the browser, but need to use the response to the actual request, which can be done using a sniffer
- At the bottom of the Details tab click the In-Session drop-down button and select Out-of-session, and then paste the pattern you identified into the Detection Pattern field.