Keep login session using ZAP Proxy

[Amelie Fowl]

Is there any scripts to make persistent cookie using ZAP? One site doesn't keep my session for more than a few minutes and I'm tired to write my credentials every time when I want to use this site. I don't manage this site. But how can I make this site save my session every time when I open my browser through ZAP proxy?

[Simon Bennetts]

You'll probably need to dig into exactly how the site maintaining its session.

If its using a cookie thats timing out on the client side then yes, you might well be able to use ZAP to change it.

Is the site setting a session cookie using 'Set-Cookie'?

If so is it setting an 'expires' directive?

If it is then you can try using the ZAP 'break' feature to intercept the request thats using Set-Cookie and manually changing expires directive to a much later time.

That might do the trick unless the server is performing its own checks on the cookie expiry.

Another option is to use the ZAP 'forced user' mode.

In this case you'll have to configure ZAP to understand how the site handles authentication and to configure it with your credentials.

See https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAuthentication for more info.

If you can do that then it wont matter if the site logs you out, ZAP will just log you back in transparently.

Unfortunately setting up authentication in ZAP could be easier - we have an ongoing project to improve this.

Let us know how you get on and if you need any more help.