HTTP Cookies are pieces of data that a web browser receives from the server and are usually used to identify the web session of a user (they are also called session cookies).
After receiving a session cookie, the browser sends it with each HTTP request that it makes to that server. It is helpful to know that the request is associated with that particular user.
Compatibility
Since our Cookie-based Authentication Method mimics the behavior of a web browser that already has a session cookie, it is compatible with nearly all types of web applications that are using cookies to authenticate users. It requires the user to insert a valid session cookie in the ‘Cookie header’ field.
How to set it up
The session cookie must be taken from an already established web session (you need to manually login to your web app and get the cookies from your browser). In order to obtain the Cookie, please follow the steps in our “How to get the Session Cookie” article.
You can then check if the cookie is correct by using the “Check authentication” button. If the authentication is valid, the request should return a window showing the target webpage in authenticated mode. Otherwise, it will return a blank window.
Troubleshooting
If you encounter any errors when clicking on check Authentication or if you notice an Authentication error message when you start the scan you should check that:
- The Cookie header is introduced correctly;
- You still have an active session (the cookie is still valid);
- The cookie header should only contain the cookie name and value sets. Ex: cookie_name1=cookie_value1; cookie_name2=cookie_value2; cookie_name3=cookie_value3;
Possible Errors
1. The Cookies method authentication is successful but the scan fails
Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.
Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).
2. The cookie size is larger than 5000 characters.
Solution: None. This is a limitation of the scanner.
3. Your target application doesn’t use cookies to authenticate users.
Solution: Use the Header method.