Authentication Tester - failed to identify session manager

70 views
Skip to first unread message

Kjetil Lilleby

unread,
Jun 25, 2025, 9:18:24 AM6/25/25
to ZAP User Group
Hi,
I've been trying out the authentication tester and the automation framework.
I've managed to successfully run the authentication tester , and I see that the user is logged in.

I had to specify the steps for the login:
  contexts:
  - name: workspace
    urls:
    - ${targetUrl}/workspace/
    - ${targetUrl}
    includePaths:
    - ${targetUrl}.*
    authentication:
      method: browser
      parameters:
        loginPageUrl: ${targetUrl}/workspace/
        browserId: chrome
        loginPageWait: 20
        steps:
        - description: Enter username
          type: USERNAME
          cssSelector: input#emailInput
          timeout: 1000
        - description: Submit email
          type: CLICK
          cssSelector: input#submitbutton
          timeout: 1000
        - description: Enter password
          type: PASSWORD
          xpath: "//input[@name=\"passwd\"]"
          timeout: 1000
        - description: Sign in
          type: CLICK
          xpath: "//input[@type=\"submit\"]"
          timeout: 1000
        - description: Stay signed in
          type: CLICK
          xpath: "//input[@type=\"submit\"]"
          timeout: 1000
      verification:
        method: autodetect
    sessionManagement:
      method: autodetect
      parameters: {}
    technology: {}
    structure: {}
    users:
    - name: *tu
      credentials:
        password: ${testPassword}
        username: ${testUser}

the username and password step are recognized, but the session manager and the verification fails.

the diagnostics dump attached

thanks,
Kjetil




zap.dump.txt

Kjetil Lilleby

unread,
Jun 30, 2025, 4:54:38 AM6/30/25
to ZAP User Group
Hi, help is really appreciated.

I also tried to define a session managament script instead. 
I basically used the same as for the juice shop, I only added print out for each method.
The only output I get is

```
processMessageToMatchSession: org.zaproxy.zap.session.ScriptBasedSessionManagementMethodType$SessionWrapper@6a4c9cd5
JS mgmt script: no token
processMessageToMatchSession: org.zaproxy.zap.session.ScriptBasedSessionManagementMethodType$SessionWrapper@25cebe01
JS mgmt script: no token
```
So the extractWebSession method isn't called

Kjetil.

Simon Bennetts

unread,
Jul 7, 2025, 11:37:00 AM7/7/25
to ZAP User Group
Hiya,

I'm confused.
You said that the Authentication Tester worked but that the session manager and the verification fails.
Do you mean that you could see that the login was successful, but the session and verification detection failed?

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages