"No session tokens for: xxx"
39 views
Skip to first unread message
Jack Heslop
May 12, 2026, 10:22:55 AMMay 12
to ZAP User Group
I have an automation framework plan, based on the "Full scan" profile using the clientSpider. Authentication is configured, and has been tested in ZAP desktop as per the instructions in https://www.zaproxy.org/docs/authentication/. I get an "Authentication successful" line in the output.
In my workflow I upload the zap.log file, and for ZAP-PassiveScan can see several instances of:
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 1 request token(s) in http://localhost:3001/
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found source of sessionId
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found a total of 1 request token(s) in http://localhost:3001/
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found sources of session management tokens in http://localhost:3001/:
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found tokens cookie:sessionId
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found source of sessionId
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found a total of 1 request token(s) in http://localhost:3001/
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found sources of session management tokens in http://localhost:3001/:
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found tokens cookie:sessionId
However, for the ZAP-Scanner I see several instances of:
2026-05-12 13:42:39,068 [ZAP-Scanner-0] DEBUG BaseHttpSender - Sending GET http://localhost:3001/claim/12
2026-05-12 13:42:39,068 [ZAP-Scanner-0] DEBUG HttpSessionsSite - No session tokens for: localhost:3001
2026-05-12 13:42:39,069 [ZAP-Scanner-0] DEBUG BaseHttpSender - Sending message to: http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - SUCCESSFUL
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - Received response after 1ms for GET http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12/assess
2026-05-12 13:42:39,068 [ZAP-Scanner-0] DEBUG HttpSessionsSite - No session tokens for: localhost:3001
2026-05-12 13:42:39,069 [ZAP-Scanner-0] DEBUG BaseHttpSender - Sending message to: http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - SUCCESSFUL
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - Received response after 1ms for GET http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12/assess
The report insights show:
Level: Info
Reason: Informational
Site: http://localhost:3001
Description: Percentage of authentication failures
Statistic: 100%
Can anyone help me understand where the authentication might be falling over when it appears to work for the passive scan? Thanks in advance.
Simon Bennetts
May 27, 2026, 4:49:48 AM (8 days ago) May 27
to ZAP User Group
Hiya,
All apps work in very different ways, and as we do not have access
to you app then I'm afraid you are going to have to work out whats going
on.
See this guide https://www.zaproxy.org/docs/getting-further/authentication/diagnosing-auth-problems/ and let us know how you get on.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages