All Collections
Web-application scanning
FAQs
Choosing the right authentication method for your web-app
Choosing the right authentication method for your web-app

Unsure which authentication method to choose? This article should help.

Joe Haigh avatar
Written by Joe Haigh
Updated over a week ago

If you're looking to choose an appropriate authentication method for your web app and struggling to choose the appropriate type, this article will help guide you through the options and how to choose the correct method.

Form-based authentication

Most web applications use form-based authentication for their users. This will usually have a username field, a password field and a login button.

Does it look like this?

⚠️ Something to consider...

However, there are a number of things to consider before moving ahead with this.

  • If the authentication using the form makes calls or requests to another domain or requires JavaScript to make API calls, you'll need to use another method, most likely Session Cookie Authentication

  • If the authentication flow requires an additional step such as completing a CAPTCHA test, multi-factor authentication or other user verification steps, you'll need to authorise our Intruder scanner IP range or the user account that you've configured to bypass these steps.

  • If your authentication involves SSO or a login redirect then you'll need to an alternative method such as Session Cookie Authentication

If, after running a scan, it looks as though the authentication has been unsuccessful, we'd recommend giving one of the other methods a go (so long as there's built-in support for it):

What user guide should I follow?

If none of the above applies and form-based is the right option for your web-app, we'd would recommend following the steps in this article: Form Based Authentication.


Cookie-based authentication

Cookies are pieces of data used to identify the user and their preferences. Specific cookies such as HTTP cookies are used to perform cookie-based authentication which maintains the authenticated session by returning the cookie every time a page is requested in the browser.

Does it look like this?

⚠️ Something to consider

This method works for the majority of web apps but you would need to confirm two main things:

  • The session token expiry is set to last long enough for the scan (ideally over 24 hours)

  • The web app supports the use of cookie values for authentication

What user guide should I follow?

You can find the guide you need to set this up here: Cookie-Based Authentication


Header-based authentication

This type of authentication describes when credentials sent to the web server are part of the HTTP Header itself (usually in an authorization header).

Does it look like this?

⚠️ Something to consider

This will be something that the application has been specifically designed to support - if you're unsure, we suggest checking with your web app developers.

What user guide should I follow?

If you're confident that header-based is for you, this is the article you'll need to get set up:
Header-based authentication.


HTTP Basic Authentication

This is one of the most basic authentication methods involving a simple login window that appears in the browser.

Does it look like this?

⚠️ Something to consider

You'll also need to retrieve the Realm value – a string generally assigned by the origin server – if you want to authenticate using this method in Intruder.

What user guide should I follow?

To configure this, please see the instructions in this article.


Authenticated scans are available to any user with an Authentication license.

Did this answer your question?