Session management configuration is part of a ZAP context.
ZAP supports Cookie and HTTP Authentication Session Management out of the box.
diff --git a/search/index.json b/search/index.json index 94bd5b7b0f..6f33001839 100644 --- a/search/index.json +++ b/search/index.json @@ -4973,7 +4973,7 @@ "keywords": ["-","authentication","guide","handling","session"], "tags": ["authentication","guide"], "summary": "\u003cp\u003e\u003cscript type=\"text/javascript\" async src=\"https://play.vidyard.com/embed/v4.js\"\u003e\u003c/script\u003e\n\nIf ZAP is handling authentication then it needs to handle sessions as well - logging in is of no use if ZAP does not maintain the session as the target app will just treat ZAP as being unauthenticated.\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"/docs/desktop/start/features/sessionmanagement/\"\u003eSession management\u003c/a\u003e configuration is part of a ZAP context.\u003c/p\u003e", - "content": "zap handling authentication then needs handle sessions logging use does not maintain session target app will just treat being unauthenticated management configuration part context desktop configured via screen framework defined environment api endpoints underneath sessionmanagement component supports cookie http out box your uses another mechanism you can that using custom script applications may implement serverside clientside both sides difficult test isolation typically need also configure before should always try auto detection first works nearly handled by headers straightforward getting hold tokens put harder do know what type application authenticate manually while proxying through look responses from headerbased arbitrary number used conjunction browser based all cookies set cookiebased see any setcookie returned likely make request verification url authenticated open manual editor dialog check there header when send indicates logged case remove response longer other such which wwwauthenticate authorization above automatically performed making requests ajax spider dom xss scanner rule cannot reason inject into selenium scripts video explains demonstrates how up owasp juice shop: previous finding next methods " + "content": "zap handling authentication then needs handle sessions logging use does not maintain session target app will just treat being unauthenticated management configuration part context desktop configured via screen automation framework defined environment api endpoints underneath sessionmanagement component supports cookie http out box your uses another mechanism you can that using custom script applications may implement serverside clientside both sides difficult test isolation typically need also configure before should always try auto detection first works nearly handled by headers straightforward getting hold tokens put harder do know what type application authenticate manually while proxying through look responses from headerbased arbitrary number used conjunction browser based all cookies set cookiebased see any setcookie returned likely make request verification url authenticated open manual editor dialog check there header when send indicates logged case remove response longer other such which wwwauthenticate authorization above automatically performed making requests ajax spider dom xss scanner rule cannot reason inject into selenium scripts video explains demonstrates how up owasp juice shop: previous finding next methods " }, { "url": "/docs/alerts/10105-1/",