Skip to main content

Choosing the right authentication method for your web-app

Unsure which authentication method to choose? This article should help.

Updated this week

If you're looking to choose an appropriate authentication method for your web app and struggling to choose the appropriate type, this article will help guide you through the options and how to choose the correct method.

Recorded Login authentication

Recorded Login authentication is the most versatile authentication method, allowing the scanner to receive a JSON file containing specific instructions detailing the fields to navigate to, what to enter in each field, and any buttons that you need to press to log in.

This method is particularly useful for more complex or custom login flows where form-based or cookie-based authentication isn’t enough. It works well with login pages that include JavaScript rendering, dynamic content, or other interaction elements that traditional methods may not support.

Does it look like this?

If your login requires JavaScript-rendered forms, uses dynamic field names, or involves interacting with buttons or fields that are not immediately visible on page load, then this method is likely the best fit.

For example, in the screenshot above, this page is the first of two pages that appear, and only the email is entered on the first page.

⚠️ Something to consider

  • Recorded Logins require precise instructions to succeed. If the structure of the login page changes frequently, or if login requires unpredictable steps (e.g., MFA, CAPTCHA), you may need to ensure you regularly update the recording.

  • If MFA is enabled, you may need to exempt the scanner IP range or create a dedicated user with MFA disabled.

What user guide should I follow?

You can find the full instructions for setting up Recorded Login authentication, including how to create and upload the necessary JSON file, here: Recorded Login Authentication Guide

Form-based authentication

Most web applications use form-based authentication for their users. This will usually have a username field, a password field and a login button.

Does it look like this?

⚠️ Something to consider...

However, there are a number of things to consider before moving ahead with this.

  • If the authentication using the form makes calls or requests to another domain or requires JavaScript to make API calls, you'll need to use another method, most likely Session Cookie Authentication

  • If the authentication flow requires an additional step such as completing a CAPTCHA test, multi-factor authentication or other user verification steps, you'll need to authorise our Intruder scanner IP range or the user account that you've configured to bypass these steps.

  • If your authentication involves SSO or a login redirect then you'll need to an alternative method such as Session Cookie Authentication

If, after running a scan, it looks as though the authentication has been unsuccessful, we'd recommend giving one of the other methods a go (so long as there's built-in support for it):

What user guide should I follow?

If none of the above applies and form-based is the right option for your web-app, we'd would recommend following the steps in this article: Form Based Authentication.

Cookie-based authentication

Cookies are pieces of data used to identify the user and their preferences. Specific cookies such as HTTP cookies are used to perform cookie-based authentication which maintains the authenticated session by returning the cookie every time a page is requested in the browser.

Does it look like this?

⚠️ Something to consider

This method works for the majority of web apps but you would need to confirm two main things:

  • The session token expiry is set to last long enough for the scan (ideally over 24 hours)

  • The web app supports the use of cookie values for authentication

What user guide should I follow?

You can find the guide you need to set this up here: Cookie-Based Authentication

Header-based authentication

This type of authentication describes when credentials sent to the web server are part of the HTTP Header itself (usually in an authorization header).

Does it look like this?

⚠️ Something to consider

This will be something that the application has been specifically designed to support - if you're unsure, we suggest checking with your web app developers.

What user guide should I follow?

If you're confident that header-based is for you, this is the article you'll need to get set up:
Header-based authentication.

HTTP Basic authentication

This is one of the most basic authentication methods involving a simple login window that appears in the browser.

Does it look like this?

⚠️ Something to consider

You'll also need to retrieve the Realm value – a string generally assigned by the origin server – if you want to authenticate using this method in Intruder.

What user guide should I follow?

To configure this, please see the instructions in this article.

Authenticated scans are available to any user with an Authentication license.

Related Articles
Quick guide to authenticated web-app scanning
How to add form-based authentication
How to add header-based authentication
How to add session cookie authentication
How to configure advanced authentication methods
Did this answer your question?