The Cookies Authentication Method allows the user to make an authenticated scan by having a valid cookie header in the target application.
HTTP Cookies are pieces of data that a web browser receives from the server and are usually used to identify the web session of a user (they are also called session cookies).
After receiving a session cookie, the browser sends it with each HTTP request that it makes to that server. It is helpful to know that the request is associated with that particular user.
Since our Cookie-based Authentication Method mimics the behaviour of a web browser that already has a session cookie, it is compatible with nearly all types of web applications that are using cookies to authenticate users. It requires the user to insert a valid session cookie in the ‘Cookie header’ field.
How to set it up
The session cookie must be taken from an already established web session (you need to manually login to your web app and get the cookies from your browser). In order to obtain the Cookie, please follow the steps in our “How to get the Session Cookie” article.
If your cookie header contains several strings, you need to manually remove the white spaces between them, like this:
! NOTE: In order for this kind of authentication to work, you’ll need to make sure to leave the logged-in session active through the duration of the scan. In other words, don’t log out of your authenticated session until it’s finished.
You can then check authentication using the “Check authentication”. If the authentication is valid, the request should return a window showing the target webpage in authenticated mode. Otherwise, it will return a blank window.
If you encounter any errors when clicking on check Authentication or if you notice an Authentication error message when you start the scan you should consider the following:
- The Cookie header is correct;
- You have an active session;
- The cookie header should only contain the cookie name and value sets, with no white spaces between them and a semicolon (‘;’) at the end of each set. Ex: cookie_name1=cookie_value1;cookie_name2=cookie_value2;cookie_name3=cookie_value3;
1. The Cookies method authentication is successful but the scan fails
Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.
Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).
2. The cookie size is larger than 5000 characters.
Solution: None. This is a limitation of the scanner.
Solution: Use the Header method.
If your cookies authenticated scan still fails, you should try one of the other authentication methods: