ZAP Authentication Tester Session Handling Failed

30 views
Skip to first unread message

mats...@gmail.com

unread,
Dec 18, 2025, 10:06:24 PM12/18/25
to ZAP User Group
Hi Simon,

     I am seeing when running ZAP Authentication Tester, user credentials works but it most of the time fails in session handling part(Attached is the Screenshot and Diagnostic Logs). Let me know what is that I missing to get this fixed. 
    Also is it mandatory for the session handling/verification URL to show status green for to use the user in Contexts

Thanks
Srikanth

AuthTesterDiagonasticLogs.txt
ZAP_Authentication_Tester.jpg

thc202

unread,
Dec 19, 2025, 2:35:08 AM12/19/25
to zaprox...@googlegroups.com
Hi,

Are you including all necessary domains in scope?

It's not mandatory but you need to configure the session/verification
yourself when ZAP was not able to do that automatically.

Best regards.

mats...@gmail.com

unread,
Dec 19, 2025, 6:46:12 AM12/19/25
to ZAP User Group
I am not configuring any domains in domains tab. Most cases I see this is failing on Session Handling but some case I see this is passing. Not sure what exactly it is looking.

Thanks
Srikanth 

Simon Bennetts

unread,
Jan 5, 2026, 10:45:20 AM (5 days ago) Jan 5
to ZAP User Group
Have a look at the domains that ZAP accesses when it tries to authenticate (via the Sites tree)
If any of thoselook like domains which could be involved in authentication or session handling then add them to the domains tab and try again.

Cheers,

Simon

mats...@gmail.com

unread,
Jan 6, 2026, 8:53:45 AM (4 days ago) Jan 6
to ZAP User Group
Hi Simon,

    Attached is the screenshot of both sites tab/authentication tester and diagnostic Logs
    
    my domain is : mycontroller.test.com
    Context: WAAP
    I dont see any request going to different domain in sites tab. FYI Tried to add mycontroller.test.com domain in the Domain Section of Authentication Tester results are same.

Thanks
Srikanth
Auth_Tester_Site_Tabs.jpg
diagnostic_logs.txt

Simon Bennetts

unread,
Jan 9, 2026, 6:15:39 AM (yesterday) Jan 9
to ZAP User Group
Hi Srikanth,

OK, so its not a problem with missing domains.
I'm afraid I dont have time to analyse the diagnostics right now :/
But I can explain what you need to do.

Launch a browser from ZAP, login to your app and then identify a request that looks like it is maintaining the session.
Any request which returns real data will probably do.

Then right click it an "Open in Requester Tab".
If you send it as is they it _should_ still work.
If so then remove all of the headers that look like they could be related to the session and retry - it should then fail.
If that happens then put them all back in and remove them one at a time and keep testing, until you can work out the minimum set of headers that are needed for the session.

Cheers,

Simon

mats...@gmail.com

unread,
Jan 9, 2026, 10:23:55 PM (13 hours ago) Jan 9
to ZAP User Group
Hi Simon,
    So what you are saying is for Session Handling in Authentication Tester to be successful we have to login to the Application via Browser via ZAP and do some navigation and then connect the Authentication Tester
    a) If I do above it works but I was mainly checking without logging in using browser which always fails
    Is it always mandatory we have to login and authenticate via ZAP before using Authentication Tester

Thanks
Srikanth
Reply all
Reply to author
Forward
0 new messages