Documentation around session management

[Peter Browning]

Good afternoon all!

Is there more detailed information available on how the session management works in ZAP (specifically, automation plans)?

Our application uses multiple different cookies and auth headers for different subdomains. Ideally, I'd like to specify each one of these cookies that the browser (during ajax and/or activescan) should *always* keep and store until reauthentication is needed.

The documentation here seems to indicate that cookies *are* stored, but this is not the case in my experience. Intercepting the requests and inspecting them shows that ZAP (during ascan) gets stuck in a 302 authentication loop because the scanner is not properly setting the cookie, despite the 302 attempting Set-Cookie- The scanner requests the 302 location but does not include the cookie.

So my question: Is there more documentation on how/if it's possible to possibly specify cookies of note that the header session management keeps track of?

Something like:

# parameters:

# Authorization: "Bearer {%json:access_token%}"

# cookie: "cookie1={%cookie:cookie1%}; cookie2={%cookie:cookie2%};

Thank you!

[Simon Bennetts]

Hiya,

We do have some documentation, e.g. https://www.zaproxy.org/docs/getting-further/authentication/session-handling/

but the "full" documentation is the code - ZAP is OSS after all :) 

Yes, ZAP should keep track of the cookies.

Have you included the relevant domains in your context?

Cheers,

Simon