Ajax Spider ignores script authorization.

[Anton]

Hi!

I have a web application with authorization through token that stored in session storage. 

That's why I use 3 scripts, the first one for authorization that sends the request to take session-token and some other requests to take required data for login. Second one Session manager script that adds session-token to other requests. And the third one - selenium script that saves all data to session storage.

All works perfect for requests in Manual Request Editor, also if I start the browser in manual mode - the user is successfully logged in. 

But when I want to start an automated scan or Ajax spider, it totally ignores authorization. 

Any ideas how to use authorization when Ajax spider is executed?

[Simon Bennetts]

Its complicated and completely depend on your app :(

If you have an app that uses simple authentication like BodgeIt then the Ajax Spider will work in the same way as the standard spider with no changes.

However if your authentication is more complicated, and has a client side component like Juice Shop then you will need to do more.

In your case you will need to add the token to the browsers session storage, which is similar to Juice Shop

I cover that in more detail in https://play.vidyard.com/igf3A8UdZ6QAGiFjEpLH86

The Juice Shop scripts which you can hopefully rip off are:

• httpsender/juice-shop-maintain-auth.js
• selenium/Selenium Juice Shop.js
• session/Juice Shop Session Management.js
  

Cheers,

Simon