ZAP docker Webswing StealSession not working due to possible incorrect config

133 views

Skip to first unread message

Laura Pardo

unread,

Apr 8, 2021, 2:17:40 AM4/8/21

to OWASP ZAP Developer Group

Hi,

I'm getting the following error when trying to re open a Webswing session, say after refreshing or closing the browser.

After some investigation I found out that I'm able to restore the session by changing the following values in webswing.config[1]:

"maxClients" : 2,
"sessionMode" : "CONTINUE_FOR_USER"

If I understood correctly [2]:

"allowStealSession" seems to work only with CONTINUE_FOR_USER session mode.
Elevating maxClients to more than 1 will allow to reconnect or steal the session which is currently impossible since "swingSessionTimeout" : -1

I'm not sure if I'm missing some config or this was the expected behavior but these changes allows to restore the session. This also allows to share the session between different machines which could be useful, for example, to share a zap instance for collaboration purposes or stuff alike between a team

Thanks,

Laura

[1] - https://github.com/zaproxy/zaproxy/blob/main/docker/webswing.config#L63

[2] - https://www.webswing.org/docs/20.2/configure/swing.html

Reply all

Reply to author

Forward

0 new messages