⚠️ If you're thinking of an admin user when adding authentications, please read this article first: Adding an admin user when adding authentications
Selecting the authentication method
When you select session cookie authentication you will be presented with the following modal. Session cookie authentications can be used to send a specific cookie to the application with every request. This allows you to define one very complex cookie which can then be assigned to the scanner to authenticate to your application.
How to find the information
If you're unsure of where/how to find the information you need, please click the hyperlinks under 'Credentials' or refer to Where to Find Required Information (at the bottom of this article).
Adding the credentials
Throughout this example, we will be using 178.79.154.6 where we are hosting our test application, you may use a fully qualified domain name (FQDN) or IP address
In this example, we are starting our scan from the /php/ page of our application (http://178.79.154.6/php/). Unlike form-based authentication there is no login URL, instead the headers you define are sent with every request.
In our example we specify that there is a Logout URL which we want to exclude from scanning (http://178.79.154.6/php/logout), this will help us make sure that we don't invalidate the cookie you have set.
Cookies
We specify a Cookie Name of PHPSESSIONID with the value 0123456789abcdef0123456789abcdef. and a second cookie name Source with the value set to Intruder. You can add multiple cookies if you need to.
⚠️ It's worth noting that the cookie session needs to last long enough for a scan to run – we recommend at least a few hours, ideally up to 24 hours.
Managing authentication(s)
Once you've added the authentication you should see it appear under the Authentications Tab on the Target Details page:
Where to find the required information
This section will explain where you can find the details that need to be entered when you're adding authentications to a target.
Entrypoint URL
The entrypoint URL tells the scanner where it should start all of it's crawling and scanning from. Most often this will be the root of your web application. Which in our example would be http://178.79.154.6/ . Please note, there is not a path associated with the URL just a / on the end, which you should include if you want the full application to be scanned.
There are times when you won't want to scan from the root of the application, instead you might want to scan a subset. For example, when you have multiple applications running on the same target, but which live at different paths. For our example:
http://178.79.154.6/DVWA/http://178.79.154.6/MyOtherApp/http://178.79.154.6/SecretApp/
In this case, you would want to add 3 separate authentications each using one of the paths in the list.
Logout URL
The easiest way to find this would be to log in to the application and find the Logout button on your page (it may say Log Out or Sign Out or something similar). If you hover over the button you'll see the Logout URL at the bottom of your page, you can also right-click and 'Save link address', then paste into Intruder. If that doesn't work, please see our extended explanation.