Home Web application scanning How to add session cookie authentication

How to add session cookie authentication

Last updated on Aug 07, 2025

Session Cookie Authentication 🍪

Session cookie authentication is a method where a client proves its identity by presenting a valid session cookie to the server. This cookie is a small piece of data that the server sends to the client after a successful login. It acts as a token that identifies the user's session, so the user doesn't have to re-enter their credentials on every page request. The server uses this cookie to determine the user's logged-in state and associated permissions.

Configuring Session Cookie Authentication for a Web Application Scanner

When you configure a web application scanner to use session cookie authentication, you're essentially providing it with a key to an already open door. You don't need to teach the scanner how to log in; you just give it the proof of a successful login. Here's a step-by-step guide to configuring this:

Get the Session Cookie

The most crucial step is to obtain a valid session cookie from an active, logged-in session. To do this, you'll need to manually log in to the web application using your browser. Once logged in, use your browser's developer tools (often accessible by pressing F12) to inspect the network requests. Look for a request to a protected page and find the Cookie header. This header contains the session cookie and any other cookies the application is using. Copy the entire cookie string.

Adding authentication to a new target

  1. Click add target and select a web application scan, then click next.

  2. Add your target address and other details, then check "Add authentication method".

  3. Select session cookie based authentication

  4. Now you can configure your authentication details

    1. Entrypoint URL*: This is the URL that the web application scanner will first visit when it begins crawling the application. It's often a page that requires authentication, such as the user's dashboard or profile page, to ensure the provided cookie is valid from the start.

    2. Cookie Name and Value: Paste the cookie string you copied from the browser's developer tools here. Some scanners might require you to provide the cookie's name and value separately, while others may accept the entire string. For example, a cookie might look like JSESSIONID=A1B2C3D4E5F6. In this case, JSESSIONID is the name and A1B2C3D4E5F6 is the value.

    3. Logged In Pattern: Just like with form-based authentication, you'll need to provide a logged in pattern. This is a piece of text or a regular expression that the scanner will look for on a page to confirm that the cookie is still valid and the session is active. Examples could be "My Account," "Logout," or "Welcome, [username]."

  5. After filling in all the required fields (marked with an asterisk), you can click Submit to save this authentication configuration for the scan target. The web application scanner will then use this information to authenticate itself before it begins crawling and scanning the application.