IBM Support

How to correct in-session detection issues in AppScan Enterprise

Technote (FAQ)


How do you address common in-session issues and ensure the login session is maintained throughout a scan in IBM Security Appscan Enterprise?


There may be instances where AppScan detects it is out-of-session and is not able to successfully validate its marked in-session pattern. If this occurs, an out of session notification will be displayed in the the scan log and if it cannot log back in after multiple attempts the scan will suspend.


Consult Overview of In-Session Detection in AppScan Enterprise

AppScan can report out-of-session of the following reasons:

  1. Server stopped responding:

    AppScan may not be able to get a response in a timely manner from the application due to it being overloaded or temporarily down.

    To test, try disabling the "Activate In-Session Detection" checkbox then restart the scan.

    If it still suspends due to communication issues, check that the target application is currently up and running.

  2. Required session cookies or parameters were not automatically detected by AppScan Enterprise in the login sequence:

    AppScan will automatically try to detect cookies or parameters in the login sequence that it believes to be related to the session state (i.e. "ASP.NET_SessionId", "JSESSIONID"). These will be listed under Login Management if you click the Login Session IDs (advanced) drop down. There are buttons to Track or Stop Tracking any parameters/cookies you believe are or are not session identifiers, make sure to track anything that is.

    If there are other session identifiers that were not detected, add them to the Parameters and Cookies section of the job properties (and track them) and try stopping/re-running the scan.

    If you are not sure which parameters or cookies are session identifiers, the rule of thumb is to try setting anything that appears to have a dynamic value (usually a random alpha-numeric string) to be track and anything with a static value (an example being a username or password) to untracked.

    If this fails you may need to follow-up with the target Applications developer on what is/isn't a session identifier in the Application and adjust the configuration accordingly.

  3. In-Session page is not accessible when requested out-of-sequence:

    Because AppScan polls the In-Session page periodically throughout the course of its scan, it does so while not necessarily visiting it in the same sequence as when then login sequence was recorded.

    If you suspect that the reason why AppScan is not able to remain in-session is caused by this type of configuration, try testing by exploring the sequence using your browser, copying the landing page URL which AppScan is using as its In-Session page, continuing with a short explore of the application, then forcefully browsing to the page in question.

    If you are not able to see the text in the response that you had previously marked as the in session pattern from the AppScan response traffic (Example: You are redirected to a customized error page), Try selecting other pages as your In-Session page until you find one that permits this type of behavior.

  4. Detected In-Session page is a POST with the login parameters:

    If AppScan automatically detects a page as its In-Session page and you notice that it is not able to remain in-session throughout the scan, examine the marked page in the HTTP traffic (check the box next to the in session page and click the globe button).

    If the request to the page contains the username and password parameters in the POST body , try re-recording the login and click a few pages deeper, select one of the subsequent GET requests as your in session page instead. Whenever possible a GET request instead of POST should be used as the in session page for best results.

  5. The user account gets locked out

    If the user account gets locked out during the scan, consult How to prevent user account lockouts.

  6. Scan is in session for a while and visits/tests many pages but then goes out of session:

    If the scan remains in session for a long period before going out of session it is possible that a specific test or series of tests is causing the scan to either loose session, invalidates the login credentials.

    If the Account gets locked out, check step #5.

    If the Account is fine but the Application stops responding during the scan check the scan log to see if it is a consistent test or tests causing the outage and remove these from your test policy.

  7. Recording the login does not capture the full login sequence:

    When trying to record a login sequence, sometimes upon opening the recorded login browser, you are already logged into the application.

    If this occurs, click logout, close the recorded login browser and the Start a new recording to capture the sequence from the start.

  8. The target Application is sensitive to concurrent sessions:

    If the target application is sensitive to concurrent sessions (Example: If the same user logs in multiple times concurrently in different browsers/tabs) this can cause out of session issues when running a multi-threaded scan.

    In AppScan under Connections set the Number of Threads used for exploring and Number of Threads used for Testing to 1. This will limit the scan to a single concurrent session.

  9. Under Login Session Ids, the session id is displayed as Tracked for a specific doman (example:

    This is because when the recorded login was recorded this domain ( was the domain that set the cookie. When viewing the requests in the recorded login (or a tool like Paros) for the login sequence, there are additional subsequent domains that also utilize this session id i.e. Because the session id is set to be tracked under Login Session Ids for domain, the session id will not be updated for the playback of the requests and the scan will go out of session.

    To fix this issue perform as follows:
    1. Under "Parameters and Cookies", delete all occurrences of the session id with the exception of one
    2. Edit the session id settings for this session id:
      • Remove the value in Domain (optional) - this will no longer tie the session id to a specific domain
      • Ensure Track Type is set to Login Value (Recommended) 3; re-record the login in order to reset the session id setting
    3. Rerun the scan to verify it fixes the in-session detection out of session issue

  10. All other or persisting login/out of session issues:

    If you are unable to resolve the session issues using the above general steps you may need to analyze the traffic log to find out the reason of the suspension.

    To analyze the traffic log you may use the TrafficViewer tool that is delivered together with the AppScan Enterprise product, however it is not installed by default. Use the following technote to install it on your machine  How to install Traffic Viewer shipped with AppScan Enterprise.

    To generate the traffic log, enabled the traffic log, and reproduce the issue again. Then download the Extended Support Log from the Statistics page, extract the traffic log, then import it into the TrafficViewer tool.

    Then compare the Requests and Responses of the login playback traffic (in TrafficViewer) to the recorded login in AppScan Enterprise (by clicking the globe button with each request checked) one by one.

    Look for the specific page/request where the playback receives a different response from the recording.
    • Is there a specific error message in the response from the application that can help you identify the cause? (Example: An account lockout message or other server error).
      If not try to identify what is different in that request or prior requests which could lead to the failure.
    • Was there any specific parameters or cookies which were not sent/updated correctly in the playback per the recording?
      If so adjust the tracking accordingly.

Cross reference information
Segment Product Component Platform Version Edition
Security Rational Policy Tester Authentication

Document information

More support for: IBM Security AppScan Enterprise
Scan: Authentication/In-session

Software version: 8.6,,,,, 8.8,, 9.0,, 9.0.1,, 9.0.2,, 9.0.3

Operating system(s): Windows

Software edition: Enterprise, Reporting Console

Reference #: 1459308

Modified date: 29 March 2016

Translate this page: