Zap Automation Framework Authentication
75 views
Skip to first unread message
Christopher Cochran
Mar 25, 2026, 5:30:11 PMMar 25
to ZAP User Group
Hey everyone,
I'm planning on using a automation framework plan in a ci/cd pipeline. I have authentication setup using browser based authentication and cookie based session management. I run the automation plan in zap desktop and the browser successfully logs in but the issue is that the authentication cookie (it has a uncommon name but was added globally as a session cookie) isn't being sent in the header of the verification url request resulting in zap thinking it's logged out.
I'm not sure what the next steps are. The cookie is set as httpOnly, secure, and samesite=strict. There are various domains but the domain that the verification url is on has the cookie on other requests. Any help would be appreciated.
Thanks!
I'm planning on using a automation framework plan in a ci/cd pipeline. I have authentication setup using browser based authentication and cookie based session management. I run the automation plan in zap desktop and the browser successfully logs in but the issue is that the authentication cookie (it has a uncommon name but was added globally as a session cookie) isn't being sent in the header of the verification url request resulting in zap thinking it's logged out.
I'm not sure what the next steps are. The cookie is set as httpOnly, secure, and samesite=strict. There are various domains but the domain that the verification url is on has the cookie on other requests. Any help would be appreciated.
Thanks!
Christopher Cochran
Mar 25, 2026, 5:31:13 PMMar 25
to ZAP User Group
Here is a redacted version of the context in the automation plan:
- name: context
urls:
- hidden
includePaths:
- hidden
excludePaths:
- ^https?://optimizationguide-pa\.googleapis\.com/.*
- ^https?://.*\.googleapis\.com/.*
authentication:
method: browser
parameters:
loginPageUrl: https://auth.domain.com/login/#/form
browserId: chrome
diagnostics: false
loginPageWait: 15
steps:
- description: wait
type: WAIT
timeout: 101
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: u
type: USERNAME
cssSelector: "input[placeholder=\"Enter your username\""
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: p
type: PASSWORD
cssSelector: "input[type=\"password\"]"
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: enter
type: CLICK
cssSelector: "button[label=\"Log in\"]"
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: wait3
type: WAIT
timeout: 200000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
stepDelay: 1
verification:
method: poll
loggedInRegex: \QHTTP/1.1 200\E
pollFrequency: 10
pollUnits: requests
pollUrl: https://api.hidden.com/profile
pollPostData: ""
sessionManagement:
method: cookie
technology: {}
structure: {}
users:
- name: user
credentials:
password: password
username: username
- name: context
urls:
- hidden
includePaths:
- hidden
excludePaths:
- ^https?://optimizationguide-pa\.googleapis\.com/.*
- ^https?://.*\.googleapis\.com/.*
authentication:
method: browser
parameters:
loginPageUrl: https://auth.domain.com/login/#/form
browserId: chrome
diagnostics: false
loginPageWait: 15
steps:
- description: wait
type: WAIT
timeout: 101
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: u
type: USERNAME
cssSelector: "input[placeholder=\"Enter your username\""
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: p
type: PASSWORD
cssSelector: "input[type=\"password\"]"
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: enter
type: CLICK
cssSelector: "button[label=\"Log in\"]"
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: wait3
type: WAIT
timeout: 200000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
stepDelay: 1
verification:
method: poll
loggedInRegex: \QHTTP/1.1 200\E
pollFrequency: 10
pollUnits: requests
pollUrl: https://api.hidden.com/profile
pollPostData: ""
sessionManagement:
method: cookie
technology: {}
structure: {}
users:
- name: user
credentials:
password: password
username: username
Simon Bennetts
Mar 26, 2026, 11:20:36 AMMar 26
to ZAP User Group
Hiya,
Have you included the verification domain in the list of urls in the context?
Cheers,
Simon
Christopher Cochran
Mar 26, 2026, 4:19:36 PMMar 26
to ZAP User Group
Hey - Yes the verification url domain is in "includePaths".
excludePaths:
- ^https?:\/\/optimizationguide-pa\.googleapis\.com/.*
- ^https?:\/\/.*\.googleapis\.com/.*
verification url: https://api.domain.com/profile
includePaths:
- https:\/\/api.domain.com.*excludePaths:
- ^https?:\/\/optimizationguide-pa\.googleapis\.com/.*
- ^https?:\/\/.*\.googleapis\.com/.*
verification url: https://api.domain.com/profile
Christopher Cochran
Mar 31, 2026, 12:11:18 PMMar 31
to ZAP User Group
Here's a more full version of the automation config. Not sure why the verification url request doesn't contain the session cookie "x-access-token" after I added it as a session cookie. That cookie functions as the main auth token for our app.
env:
contexts:
- name: step
urls:
- https://auth.domain.com
- https://api.domain.com
- https://admin.domain.com
- https://home.domain.com
- https://main.home.domain.com
includePaths:
- https:\/\/auth.domain.com.*
- https:\/\/admin.domain.com.*
- https:\/\/api.domain.com.*
- https:\/\/home.domain.com.*
- https:\/\/main.home.domain.com.*
excludePaths:
- ^https?:\/\/optimizationguide-pa\.googleapis\.com/.*
- ^https?:\/\/.*\.googleapis\.com/.*
pollPostData: ""
sessionManagement:
method: cookie
technology: {}
structure: {}
users:
credentials:
password: password
username: scanuser
parameters: {}
jobs:
- type: passiveScan-config
parameters: {}
- type: spider
parameters:
context: step
user: scanuser
url: https://admin.domain.com
tests: []
- type: passiveScan-wait
parameters: {}
Simon Bennetts
Apr 15, 2026, 12:22:48 PM (6 days ago) Apr 15
to ZAP User Group
Did you try the using the ZAP Authentication Tester with all of those domains added?
If that doesnt work then I'd also try with header based session management, as that is a super set of cookie based.
If those dont work then you'll need to work out where the cookie values are being set, and then give us a sanitized summary of whats going on.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages