Zap Automation Framework Authentication

129 views
Skip to first unread message

Christopher Cochran

unread,
Mar 25, 2026, 5:30:11 PMMar 25
to ZAP User Group
Hey everyone,

I'm planning on using a automation framework plan in a ci/cd pipeline. I have authentication setup using browser based authentication and cookie based session management. I run the automation plan in zap desktop and the browser successfully logs in but the issue is that the authentication cookie (it has a uncommon name but was added globally as a session cookie) isn't being sent in the header of the verification url request resulting in zap thinking it's logged out. 

I'm not sure what the next steps are. The cookie is set as httpOnly, secure, and samesite=strict. There are various domains but the domain that the verification url is on has the cookie on other requests. Any help would be appreciated. 

Thanks!

Christopher Cochran

unread,
Mar 25, 2026, 5:31:13 PMMar 25
to ZAP User Group
Here is a redacted version of the context in the automation plan:
  - name: context
    urls:
    - hidden
    includePaths:
    - hidden
    excludePaths:
    - ^https?://optimizationguide-pa\.googleapis\.com/.*
    - ^https?://.*\.googleapis\.com/.*
    authentication:
      method: browser
      parameters:
        loginPageUrl: https://auth.domain.com/login/#/form
        browserId: chrome
        diagnostics: false
        loginPageWait: 15
        steps:
        - description: wait
          type: WAIT
          timeout: 101
          totp:
            secret: UserCredentials
            period: 30
            digits: 6
            algorithm: SHA1
        - description: u
          type: USERNAME
          cssSelector: "input[placeholder=\"Enter your username\""
          timeout: 1000
          totp:
            secret: UserCredentials
            period: 30
            digits: 6
            algorithm: SHA1
        - description: p
          type: PASSWORD
          cssSelector: "input[type=\"password\"]"
          timeout: 1000
          totp:
            secret: UserCredentials
            period: 30
            digits: 6
            algorithm: SHA1
        - description: enter
          type: CLICK
          cssSelector: "button[label=\"Log in\"]"
          timeout: 1000
          totp:
            secret: UserCredentials
            period: 30
            digits: 6
            algorithm: SHA1
        - description: wait3
          type: WAIT
          timeout: 200000
          totp:
            secret: UserCredentials
            period: 30
            digits: 6
            algorithm: SHA1
        stepDelay: 1
      verification:
        method: poll
        loggedInRegex: \QHTTP/1.1 200\E
        pollFrequency: 10
        pollUnits: requests
        pollUrl: https://api.hidden.com/profile
        pollPostData: ""
    sessionManagement:
      method: cookie
    technology: {}
    structure: {}
    users:
    - name: user
      credentials:
        password: password
        username: username

Simon Bennetts

unread,
Mar 26, 2026, 11:20:36 AMMar 26
to ZAP User Group
Hiya,

Have you included the verification domain in the list of urls in the context?

Cheers,

Simon

Christopher Cochran

unread,
Mar 26, 2026, 4:19:36 PMMar 26
to ZAP User Group
Hey - Yes the verification url domain is in "includePaths".

includePaths:
  - https:\/\/api.domain.com.*
excludePaths:
    - ^https?:\/\/optimizationguide-pa\.googleapis\.com/.*
    - ^https?:\/\/.*\.googleapis\.com/.*

verification url: https://api.domain.com/profile

Christopher Cochran

unread,
Mar 31, 2026, 12:11:18 PMMar 31
to ZAP User Group
Here's a more full version of the automation config. Not sure why the verification url request doesn't contain the session cookie "x-access-token" after I added it as a session cookie. That cookie functions as the main auth token for our app.

env:
  contexts:
  - name: step
    urls:
    - https://auth.domain.com
    - https://api.domain.com
    - https://admin.domain.com
    - https://home.domain.com
    - https://main.home.domain.com
    includePaths:
    - https:\/\/auth.domain.com.*
    - https:\/\/admin.domain.com.*
    - https:\/\/api.domain.com.*
    - https:\/\/home.domain.com.*
    - https:\/\/main.home.domain.com.*

    excludePaths:
    - ^https?:\/\/optimizationguide-pa\.googleapis\.com/.*
    - ^https?:\/\/.*\.googleapis\.com/.*
        pollUrl: https://api.domain.com/profile

        pollPostData: ""
    sessionManagement:
      method: cookie
    technology: {}
    structure: {}
    users:
    - name: scanuser
      credentials:
        password: password
        username: scanuser
  parameters: {}
jobs:
- type: passiveScan-config
  parameters: {}
- type: spider
  parameters:
    context: step
    user: scanuser
    url: https://admin.domain.com
  tests: []
- type: passiveScan-wait
  parameters: {}

Simon Bennetts

unread,
Apr 15, 2026, 12:22:48 PMApr 15
to ZAP User Group
Did you try the using the ZAP Authentication Tester with all of those domains added?

If that doesnt work then I'd also try with header based session management, as that is a super set of cookie based.

If those dont work then you'll need to work out where the cookie values are being set, and then give us a sanitized summary of whats going on.

Cheers,

Simon

A ZAP User

unread,
Jun 24, 2026, 12:11:10 AM (3 days ago) Jun 24
to ZAP User Group
Hey All,

FYI - I ran across a similar (if not the same) scenario.

I have an auth system that injects a cookie for subsequent requests and it seems that the Auth poller (and only the Auth poller) does not send through the cookies for its Auth liveness checks (I scanned two requests, the post-login API request was fine but the poll request was not, see screenshots attached):

Authentication setup (Context):
auth-setup.png

Post-login request (correct):
post-login-request.png

Verification request (incorrect):
verification-request.png

Big guess here - FWICS (https://github.com/zaproxy/zaproxy/blob/0ef76c8de01393220fe01bd13925960baad68015/zap/src/main/java/org/zaproxy/zap/authentication/AuthenticationMethod.java#L408-L444) the Auth poller is simply sending through  HTTP POST requests, these might be done out of context of the cookie session and thus might be sending through requests without those cookies.

As a result, I've just changed the Auth verification to Auto-Detect and have it run in the background incorrectly (if it runs at all).

It would be great if we could somehow inject the context through, happy to work on this with some guidance if this is somehow possible.

Cheers,
Dan

kingthorin+zap

unread,
Jun 24, 2026, 12:15:51 AM (3 days ago) Jun 24
to ZAP User Group
Your screenshot for polling shows a cross origin request (referrer and request/host are different), cookies shouldn’t be sent per SOP

A ZAP User

unread,
Jun 24, 2026, 12:56:06 AM (3 days ago) Jun 24
to ZAP User Group
Hey Thorin,

Thanks for the guidance, I've removed the obsolete headers as part of the Authentication setup as to not show any kind of referrer but it appears to be behaving the same:

Verification request
verification_request.png

>  shows a cross origin request (referrer and request/host are different), cookies shouldn’t be sent per SOP

I might be misunderstanding the problem here, is it by design that the Authentication poller does not send through cookies if the Origin differs from the main context?

The authentication response does specify that the Cookie should apply to http://localhost:8888, which is respected in the post-authentication request (but not the verification request above):

Authentication response
auth_response.png

Post-authentication request
post_auth_request.png

I'd be surprised if it were the case as it is a fairly common pattern for SPA.

Cheers,
Dan
Reply all
Reply to author
Forward
0 new messages