IBM Support

Login methods in AppScan Standard



Overview of Login methods in IBM Security AppScan Standard.


When creating a new scan (with File > New), the Scan Configuration Wizard will present you the following dialog with login methods:

At this point you need to decide which login method to use. The Recorded method will be preselected.

After the scan is created you may change or update the login method under Configuration > Login Management.


The login methods are as follows:

  • Recorded login - If you select this method (it is recommended for most of the scans), you will need to recorder the login or import it from another source. You record it by clicking on the Record button, and by running the login once. Then when scanning, AppScan will reply the recorded login every time AppScan finds out it is out of session. This option is described in details below.
  • Prompt login - While scanning, AppScan will prompt you to login manually every time login is required. This option may be used when requiring human interaction, for example with CAPCHA or Smart Cards.
  • Automatic login - AppScan will automatically detect the login form presented by your application and it will return User Name and Password you have provided. This option is less reliable than the recorded login method.
  • No login - AppScan will not try to login at all. AppScan will scan only the pages that do not require a login. Use this option if your application does not require any login.

Recorded login

    When choosing the Recorded login option, you need to record a login sequence by clicking on the Record button. After the recording is completed, go to the Details tab ( Configuration > Login Management > Details) for more configuration of the recorded sequence.

    There are two methods of recording, Request-based and Action-based:

    • Request-based - In this recording AppScan remembers all requests sent to the application when recording the login.
    • If the "Use action-based login when possible" option is unchecked, Appscan will use only the Request-based recording to login into the application.

      The Requests tab lists the recorded URLs. AppScan marks these URLs (pages) as one of the following types:

      • Login
      • In-Session
      • Ignore

    • Action-based - In this recording AppScan remembers the actions you have taken when recording the login. This method has been added in AppScan Standard version 8.8.
      The Actions tab lists all recorded actions.

    One of the pages will be marked as In-Session if AppScan detects it. AppScan detects the page by matching the Logout Page Detection strings to the content of that page (the string can be modified in Scan Configuration > Login Management > Login/Logout > Logout Page Detection).

    If no page is automatically detected, you need to select a page, set it as an "In-session" page, and mark its unique pattern using the Select... button.

    Consult How in-session detection mechanism works

Related information

Common insession issues

Document information

More support for: IBM Security AppScan Standard

Component: Scan: Authentication

Software version:,, 8.7,, 8.8, 9.0,, 9.0.1,, 9.0.2,, 9.0.3

Operating system(s): Windows

Reference #: 1607424

Modified date: 19 September 2018