Zap Automation Framework Authentication

Christopher Cochran

unread,

Mar 25, 2026, 5:30:11 PM (6 days ago) Mar 25

to ZAP User Group

Hey everyone,

I'm planning on using a automation framework plan in a ci/cd pipeline. I have authentication setup using browser based authentication and cookie based session management. I run the automation plan in zap desktop and the browser successfully logs in but the issue is that the authentication cookie (it has a uncommon name but was added globally as a session cookie) isn't being sent in the header of the verification url request resulting in zap thinking it's logged out.

I'm not sure what the next steps are. The cookie is set as httpOnly, secure, and samesite=strict. There are various domains but the domain that the verification url is on has the cookie on other requests. Any help would be appreciated.

Thanks!

Christopher Cochran

unread,

Mar 25, 2026, 5:31:13 PM (6 days ago) Mar 25

to ZAP User Group

Here is a redacted version of the context in the automation plan:
- name: context
urls:
- hidden
includePaths:
- hidden
excludePaths:
- ^https?://optimizationguide-pa\.googleapis\.com/.*
- ^https?://.*\.googleapis\.com/.*
authentication:
method: browser
parameters:
loginPageUrl: https://auth.domain.com/login/#/form
browserId: chrome
diagnostics: false
loginPageWait: 15
steps:
- description: wait
type: WAIT
timeout: 101
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: u
type: USERNAME
cssSelector: "input[placeholder=\"Enter your username\""
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: p
type: PASSWORD
cssSelector: "input[type=\"password\"]"
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: enter
type: CLICK
cssSelector: "button[label=\"Log in\"]"
timeout: 1000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
- description: wait3
type: WAIT
timeout: 200000
totp:
secret: UserCredentials
period: 30
digits: 6
algorithm: SHA1
stepDelay: 1
verification:
method: poll
loggedInRegex: \QHTTP/1.1 200\E
pollFrequency: 10
pollUnits: requests
pollUrl: https://api.hidden.com/profile
pollPostData: ""
sessionManagement:
method: cookie
technology: {}
structure: {}
users:
- name: user
credentials:
password: password
username: username

Simon Bennetts

unread,

Mar 26, 2026, 11:20:36 AM (6 days ago) Mar 26

to ZAP User Group

Hiya,

Have you included the verification domain in the list of urls in the context?

Cheers,

Simon

Christopher Cochran

unread,

Mar 26, 2026, 4:19:36 PM (5 days ago) Mar 26

to ZAP User Group

Hey - Yes the verification url domain is in "includePaths".

includePaths:

- https:\/\/api.domain.com.*
excludePaths:
- ^https?:\/\/optimizationguide-pa\.googleapis\.com/.*
- ^https?:\/\/.*\.googleapis\.com/.*

verification url: https://api.domain.com/profile

Christopher Cochran

unread,

12:11 PM (12 hours ago) 12:11 PM

to ZAP User Group

Here's a more full version of the automation config. Not sure why the verification url request doesn't contain the session cookie "x-access-token" after I added it as a session cookie. That cookie functions as the main auth token for our app.

env:
contexts:
- name: step
urls:
- https://auth.domain.com
- https://api.domain.com
- https://admin.domain.com
- https://home.domain.com
- https://main.home.domain.com
includePaths:
- https:\/\/auth.domain.com.*
- https:\/\/admin.domain.com.*
- https:\/\/api.domain.com.*
- https:\/\/home.domain.com.*
- https:\/\/main.home.domain.com.*

excludePaths:
- ^https?:\/\/optimizationguide-pa\.googleapis\.com/.*
- ^https?:\/\/.*\.googleapis\.com/.*

pollUrl: https://api.domain.com/profile

pollPostData: ""
sessionManagement:
method: cookie
technology: {}
structure: {}
users:

- name: scanuser
credentials:
password: password
username: scanuser
parameters: {}
jobs:
- type: passiveScan-config
parameters: {}
- type: spider
parameters:
context: step
user: scanuser
url: https://admin.domain.com
tests: []
- type: passiveScan-wait
parameters: {}

Reply all

Reply to author

Forward