Authentication tester failing to recognize session cookie?
37 views
Skip to first unread message
Adam Risch
May 14, 2026, 1:17:31 PMMay 14
to ZAP User Group
I'm trying to setup an automation framework to scan one of my company's web apps, and when testing the authentication script in the authentication tester, it's failing seemingly on the session handling (see attached image)?
I've watched the Firefox browser that opens up, and Zap appears to login successfully. When I record the diagnostics I get this:
>>>>>
GET https://example0/
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
set-cookie: JSESSIONID=sanitizedtoken46
>>>>>
GET https://example0/sso.action
cookie: JSESSIONID="sanitizedtoken46"
<<<
HTTP/1.1 302 Found
>>>>>
GET https://example1/
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
>>>>>
GET https://example1/
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
>>>>>
POST https://example1/
content-type: application/x-www-form-urlencoded
AuthMethod=sanitizedtoken1&Password=sanitizedtoken2&UserName=sanitizedtoken3&
<<<
HTTP/1.1 302 Found
content-type: text/html; charset=utf-8
set-cookie: MSISAuth=sanitizedtoken47
>>>>>
GET https://example1/
cookie: MSISAuth="sanitizedtoken47"
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
set-cookie: MSISAuth=sanitizedtoken48
set-cookie: MSISAuthenticated=sanitizedtoken49
set-cookie: MSISLoopDetectionCookie=sanitizedtoken50
>>>>>
POST https://example0/ssoResponse.action
content-type: application/x-www-form-urlencoded
SAMLResponse=sanitizedtoken51&
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
set-cookie: JSESSIONID=sanitizedtoken52
>>>>>
POST https://example0/j_security_check
content-type: application/x-www-form-urlencoded
cookie: JSESSIONID="sanitizedtoken52"
j_password=sanitizedtoken51&j_username=sanitizedtoken10&ssoResponse=sanitizedtoken11&
<<<
HTTP/1.1 302 Found
set-cookie: JSESSIONID=sanitizedtoken53
>>>>>
GET https://example0/
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeUserEnvironment.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
>>>>>
GET https://example0/ajaxNewsLoad.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeTaskOwner.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeDashboard.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeActivity.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeTaskYear.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
GET https://example0/
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
set-cookie: JSESSIONID=sanitizedtoken46
>>>>>
GET https://example0/sso.action
cookie: JSESSIONID="sanitizedtoken46"
<<<
HTTP/1.1 302 Found
>>>>>
GET https://example1/
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
>>>>>
GET https://example1/
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
>>>>>
POST https://example1/
content-type: application/x-www-form-urlencoded
AuthMethod=sanitizedtoken1&Password=sanitizedtoken2&UserName=sanitizedtoken3&
<<<
HTTP/1.1 302 Found
content-type: text/html; charset=utf-8
set-cookie: MSISAuth=sanitizedtoken47
>>>>>
GET https://example1/
cookie: MSISAuth="sanitizedtoken47"
<<<
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
set-cookie: MSISAuth=sanitizedtoken48
set-cookie: MSISAuthenticated=sanitizedtoken49
set-cookie: MSISLoopDetectionCookie=sanitizedtoken50
>>>>>
POST https://example0/ssoResponse.action
content-type: application/x-www-form-urlencoded
SAMLResponse=sanitizedtoken51&
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
set-cookie: JSESSIONID=sanitizedtoken52
>>>>>
POST https://example0/j_security_check
content-type: application/x-www-form-urlencoded
cookie: JSESSIONID="sanitizedtoken52"
j_password=sanitizedtoken51&j_username=sanitizedtoken10&ssoResponse=sanitizedtoken11&
<<<
HTTP/1.1 302 Found
set-cookie: JSESSIONID=sanitizedtoken53
>>>>>
GET https://example0/
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeUserEnvironment.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
>>>>>
GET https://example0/ajaxNewsLoad.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeTaskOwner.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeDashboard.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeActivity.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
>>>>>
GET https://example0/ajaxHomeTaskYear.action
cookie: JSESSIONID="sanitizedtoken53"
<<<
HTTP/1.1 200 OK
content-type: text/html;charset=UTF-8
You can see the JSESSIONID cookie is present, and this token is enabled under tools->options->http sessions. I tried changing the session management method for the "Authentication test" context from "auto-detect" to "cookie-based", but I got the same result, and the authentication tester appears to set it back to "auto-detect" automatically anyway. Am I missing something?
Simon Bennetts
May 27, 2026, 4:52:09 AM (8 days ago) May 27
to ZAP User Group
Hiya,
Also, have you included both of the domains in your scope?
If not then do so and try again.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages