"No session tokens for: xxx"
24 views
Skip to first unread message
Jack Heslop
May 12, 2026, 10:22:55 AM (2 days ago) May 12
to ZAP User Group
I have an automation framework plan, based on the "Full scan" profile using the clientSpider. Authentication is configured, and has been tested in ZAP desktop as per the instructions in https://www.zaproxy.org/docs/authentication/. I get an "Authentication successful" line in the output.
In my workflow I upload the zap.log file, and for ZAP-PassiveScan can see several instances of:
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Identified 1 request token(s) in http://localhost:3001/
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found source of sessionId
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found a total of 1 request token(s) in http://localhost:3001/
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found sources of session management tokens in http://localhost:3001/:
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found tokens cookie:sessionId
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found source of sessionId
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found a total of 1 request token(s) in http://localhost:3001/
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found sources of session management tokens in http://localhost:3001/:
2026-05-12 13:42:38,906 [ZAP-PassiveScan-1] DEBUG SessionDetectionScanRule - Found tokens cookie:sessionId
However, for the ZAP-Scanner I see several instances of:
2026-05-12 13:42:39,068 [ZAP-Scanner-0] DEBUG BaseHttpSender - Sending GET http://localhost:3001/claim/12
2026-05-12 13:42:39,068 [ZAP-Scanner-0] DEBUG HttpSessionsSite - No session tokens for: localhost:3001
2026-05-12 13:42:39,069 [ZAP-Scanner-0] DEBUG BaseHttpSender - Sending message to: http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - SUCCESSFUL
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - Received response after 1ms for GET http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12/assess
2026-05-12 13:42:39,068 [ZAP-Scanner-0] DEBUG HttpSessionsSite - No session tokens for: localhost:3001
2026-05-12 13:42:39,069 [ZAP-Scanner-0] DEBUG BaseHttpSender - Sending message to: http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - SUCCESSFUL
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG BaseHttpSender - Received response after 1ms for GET http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12
2026-05-12 13:42:39,070 [ZAP-Scanner-0] DEBUG HostProcess - scanSingleNode node plugin=SOAP XML Injection node=http://localhost:3001/claim/12/assess
The report insights show:
Level: Info
Reason: Informational
Site: http://localhost:3001
Description: Percentage of authentication failures
Statistic: 100%
Can anyone help me understand where the authentication might be falling over when it appears to work for the passive scan? Thanks in advance.
Reply all
Reply to author
Forward
0 new messages