Running a scan results with IBM Security AppScan Standard results in error "AppScan Standard has detected it is out-of-session and is trying to re-login"
Running a scan, the following notification is displayed in the UI followed by a 90 second countdown:
"AppScan Standard has detected it is out-of-session and is trying to re-login"
During this time, the Scan Log will display multiple login requests until the scan eventually stops with this log entry:
Stopping scan due to out of session detection
AppScan Standard detects it is out-of-session and is not able to successfully validate its marked in-session pattern.
An overview on AppScan Standard in-session detection is in the technote #1607424
Resolving the problem
There are several possibilities why this can occur:
- Server stopped responding:
AppScan Standard may not be able to get a response in a timely manner from the application due to it being overloaded or temporarily down. To test, try disabling the "In-Session Detection" check-box in the Session Information window, then continuing the scan. If it still stops due to communication issues, please see Communication errors displayed when scanning with AppScan Standard for more details.
- Required session cookies or parameters were not automatically detected by AppScan Standard in the login sequence:
AppScan Standard will automatically try to detect cookies or parameters in the login sequence that it believes to be related to the session state (i.e. "ASP.NET_SessionId", "JSESSIONID"). These will be listed on the Scan Configuration > Parameters and Cookies window.
If there are other session identifiers that were not detected, add them to the Session IDs list and try continuing the scan. If you are not sure, try first adding all that show up in the login sequence and if AppScan Standard is then able to remain in-session, you can go back and remove some IDs until the specific cookie or parameter is isolated. All parameters and cookies related to the login are listed at the bottom of the Details tab on the Login Management section of the Scan Configuration.
- In-Session page is not accessible when requested out-of-sequence:
Because AppScan Standard polls the In-Session page periodically throughout the course of its scan, it does so while not necessarily visiting it in the same sequence as when then login sequence was recorded. If you suspect that the reason why AppScan Standard is not able to remain in-session is caused by this type of configuration, try testing by exploring the sequence using your browser, copying the URL which AppScan Standard is using as its In-Session page, continuing with a short explore of the application, then forcefully browsing to the page in question. If you are not able to see the text in the response that you had previously marked in AppScan Standard browser (Example: You are redirected to a customized error page), try selecting other pages as your In-Session page until you find one that permits this type of behavior.
- Detected In-Session page is a POST with the login parameters:
If AppScan Standard automatically detects a page as its In-Session page and you notice that it is not able to remain in-session throughout the scan, examine the marked page in the Session Information window by highlighting it and hitting the View button. If the page contains the username and password parameters, try selecting another page further down in the list, marking its pattern in the browser, then continuing the scan. If there is no other page to select, try re-recording the login sequence and include one extra page in the explore, then mark that page as your In-Session page.
NOTE: If the scan does not stop due to in-session detection but you notice quite a large number of "Performing login" entries in the Scan Log during the Test Phase, perhaps a particular test or group of tests are causing AppScan Standard to go out-of-session. To investigate further, try enabling the negative tests in the Scan Log (Tools > Options > Scan Options tab > Customize Scan Log and selecting Test ID [ID] is negative on: url (param)) and continuing the Test Phase. If you see numerous occurrences of one test being performed followed by the login sequence, consider excluding a commonly displayed page or parameter from testing, or modifying the Test Policy according to a common test being performed.
- Recording the login does not capture login page:
When trying to record a login sequence, sometimes upon opening the recorded login browser, you are already logged into the application. If this occurs, close the recorded login browser, go to Internet Explore and clear out the cookies (Tools > Internet Options > General) and delete all the cookies and temporary files. This should now allow you to record the complete login successfully.