Skip to content Skip to main navigation Skip to footer

How to perform Cookie Authentication with Website Scanner

The Cookies Authentication Method allows the user to make an authenticated scan by having a valid cookie header in the target application.

The Cookies option allows the user to make an authenticated scan by having a valid pair of credentials in the target application.

HTTP Cookies are pieces of data that a web browser receives from the server and are usually used to identify the web session of a user (they are also called session cookies). 

After receiving a session cookie, the browser sends it with each HTTP request that it makes to that server. It is helpful to know that the request is associated with that particular user.


Since our Cookie-based Authentication Method mimics the behaviour of a web browser that already has a session cookie, it is compatible with nearly all types of web applications that are using cookies to authenticate users. It requires the user to insert a valid session cookie in the ‘Cookie header’ field.

How to set it up

The session cookie must be taken from an already established web session (you need to manually login to your web app and get the cookies from your browser). In order to obtain the Cookie, please follow the steps in our “How to get the Session Cookie” article.

If your cookie header contains several strings, you need to manually remove the white spaces between them, like this:

Authentication enabled -> Cookies

! NOTE: In order for this kind of authentication to work, you’ll need to make sure to leave the logged-in session active through the duration of the scan. In other words, don’t log out of your authenticated session until it’s finished.

You can then check authentication using the “Check authentication”. If the authentication is valid, the request should return a window showing the target webpage in authenticated mode. Otherwise, it will return a blank window.

You can check authentication by clicking on the "Check authentication" button.


If you encounter any errors when clicking on check Authentication or if you notice an Authentication error message when you start the scan you should consider the following:

  • The Cookie header is correct;
  • You have an active session;
  • The cookie header should only contain the cookie name and value sets, with no white spaces between them and a semicolon (‘;’) at the end of each set. Ex: cookie_name1=cookie_value1;cookie_name2=cookie_value2;cookie_name3=cookie_value3;

Possible Errors

1. The Cookies method authentication is successful but the scan fails

Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.

Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).

2. The cookie size is larger than 5000 characters.

Solution: None. This is a limitation of the scanner.

3. Your target application doesn’t use cookies to authenticate users.

Solution: Use the Header method.

If your cookies authenticated scan still fails, you should try one of the other authentication methods:

Was This Article Helpful?


If you didn't find what you were looking for, browse the categories below or contact us now!

We'd really love to get you the answer you're looking for. If the article How to perform Cookie Authentication with Website Scanner doesn't contain the information you're seeking, please get in touch with us directly:

Contact us »