Skip to content

WebApp Testing Session Management

Session management maintains authenticated state throughout security scans. While authentication configuration handles initial credential acquisition, session management prevents unintentional logout during scanning activities such as parallel browsing, page reloads, and security injection testing.

Complete Configuration Example

The following configuration provides comprehensive session management for applications requiring maximum stability:

frontend_dast:
  # Session management mode
  integrated_authentication: true

  # Resource constraints
  parallel_workers: 1
  use_persistence: true

  # API security during authentication
  api_checks_during_auth: false

  # Prevent logout through element interaction
  scope:
    pages:
      blocklist_element_selectors:
        # Standard logout elements
        - "button:has-text('Sign Out')"
        - "button:has-text('Logout')"
        - "[data-testid='logout-button']"
        - "[data-action='logout']"
        - "a[href*='/logout']"

        # Destructive actions
        - "button:has-text('Delete Account')"
        - "[data-action='delete-account']"
        - "button:has-text('Change Password')"

    # Prevent logout through API injection
    api:
      skipped_url_patterns:
        - path: ".*/api/auth/.*"
          method: ".*"
        - path: ".*/api/token/refresh"
          method: POST
        - path: ".*/api/session/.*"
          method: ".*"

Session Management Modes

Standard Mode (Default)

Each parallel worker maintains independent session context. Authentication credentials are injected at worker initialization, but subsequent session state diverges across workers.

frontend_dast:
  parallel_workers: 3  # Independent sessions per worker

This mode is optimal for stateless applications with long-lived JWT tokens.

Integrated Authentication Mode

Shared session context is established across all scanner activities with automatic re-authentication upon session invalidation detection.

frontend_dast:
  integrated_authentication: true

Use Cases:

  • Short-lived tokens requiring automatic refresh
  • Complex multi-step authentication flows
  • Session-based authentication without stateless JWT tokens
  • Applications tracking session fingerprints or device identifiers

Single Page Worker Mode

A single browser instance persists throughout the entire scan, preserving JavaScript state and WebSocket connections.

frontend_dast:
  single_page_worker: true
  parallel_workers: 1  # Required

Use Cases:

  • Applications losing state on page reload
  • Critical WebSocket connections requiring persistence
  • Single-use CSRF tokens without refresh mechanisms

Preventing Session Termination

Frontend Element Blocking

The scanner includes built-in protection against common logout elements. Application-specific logout patterns require explicit configuration using Playwright locator syntax:

frontend_dast:
  scope:
    pages:
      blocklist_element_selectors:
        # Text-based logout buttons
        - "button:has-text('Sign Out')"
        - "button:has-text('Logout')"
        - "a:has-text('Log out')"

        # Data attribute selectors
        - "[data-testid='logout-button']"
        - "[data-action='logout']"

        # URL-based navigation
        - "a[href*='/logout']"
        - "a[href*='/sign-out']"

        # Destructive account management
        - "button:has-text('Delete Account')"
        - "[data-action='delete-account']"
        - "button:has-text('Change Password')"

        # Session termination
        - "button:has-text('End Session')"
        - "[data-action='clear-session']"

Advanced Selectors:

For applications with dynamic or context-sensitive logout elements:

frontend_dast:
  scope:
    pages:
      blocklist_element_selectors:
        # Proximity-based blocking
        - "button:near(:text('Are you sure you want to log out?'))"

        # Modal confirmation buttons
        - ".modal button:has-text('Confirm')"
        - "[role='dialog'] [data-action='confirm']"

        # Compound selectors
        - "[class*='danger']:has-text('Delete')"

        # ARIA label matching
        - "[aria-label*='sign out' i]"
        - "[aria-label*='log out' i]"

Selector Validation

Element selectors should be validated in development environments before production deployment. Overly broad selectors may prevent legitimate functionality testing, while insufficiently specific selectors may fail to prevent logout interactions.

API Traffic Injection Prevention

During frontend scans, captured API traffic undergoes security testing. This can inadvertently trigger session invalidation when authentication endpoints receive malformed payloads.

Vulnerable Scenarios:

  • Token refresh endpoints receiving injection payloads
  • Session management APIs being parameter-fuzzed
  • User profile endpoints receiving unauthorized payloads
  • MFA verification receiving invalid codes

Option 1: Disable API Security Testing

frontend_dast:
  security_checks_enabled:
    - ACTIVE_PAGE_CHECKS
    - PASSIVE_PAGE_CHECKS
    - NETWORK_CHECKS
    # API_CHECKS excluded

Option 2: Selective Endpoint Exclusion

frontend_dast:
  scope:
    api:
      skipped_url_patterns:
        - path: ".*/api/auth/.*"
          method: POST
        - path: ".*/api/token/refresh"
          method: POST
        - path: ".*/api/session/.*"
          method: ".*"
        - path: ".*/api/mfa/.*"
          method: ".*"

Regex patterns are supported using Python's re.fullmatch() syntax.

Option 3: Disable During Authentication Phase Only

frontend_dast:
  api_checks_during_auth: false

This configuration prevents API injection during authentication while maintaining testing for subsequent traffic.

Troubleshooting Session Loss

When scans exhibit authentication loss symptoms (reduced coverage, authorization errors, redirect to login pages), the following diagnostic sequence should be applied:

  1. Verify Initial Authentication

    Confirm successful authentication establishment:

    validation: true  # In authentication configuration

  2. Enable Integrated Authentication

    frontend_dast:
  integrated_authentication: true

  3. Reduce Parallelism

    frontend_dast:
  parallel_workers: 1

  4. Block Logout Elements

    Add application-specific logout selectors as documented above.

  5. Exclude Authentication Endpoints

    Prevent API injection on authentication endpoints as documented above.

  6. Enable Single Page Worker

    frontend_dast:
  single_page_worker: true
  parallel_workers: 1

Common Session Loss Patterns

Immediate Session Loss: Authentication validates successfully, but first crawled page shows unauthenticated state.

  • Causes: Cookie domain mismatch, localStorage not injected, expired CSRF tokens
  • Resolution: Verify cookie configuration in authentication preset, enable integrated_authentication

Gradual Degradation: Initial pages scan successfully, but coverage decreases over time with increasing authentication errors.

  • Causes: Session timeout, token refresh not triggered, rate limiting
  • Resolution: Configure token refresh in authentication preset, enable use_persistence, reduce parallel_workers

Intermittent Failures: Random pages fail authentication while most succeed.

  • Causes: Race conditions, session concurrency limitations, sporadic logout element interaction
  • Resolution: Enable integrated_authentication, add comprehensive logout element blocking, reduce to 1 worker

Configuration Templates

Maximum Stability:

frontend_dast:
  integrated_authentication: true
  parallel_workers: 1
  use_persistence: true
  api_checks_during_auth: false
  scope:
    pages:
      blocklist_element_selectors:
        - "button:has-text('Sign Out')"
        - "[data-action='logout']"
        - "a[href*='/logout']"
    api:
      skipped_url_patterns:
        - path: ".*/api/auth/.*"
          method: ".*"

Balanced Reliability and Performance:

frontend_dast:
  integrated_authentication: true
  parallel_workers: 2
  scope:
    pages:
      blocklist_element_selectors:
        - "button:has-text('Sign Out')"
    api:
      skipped_url_patterns:
        - path: ".*/api/auth/login"
          method: POST
        - path: ".*/api/token/refresh"
          method: POST

Performance-Optimized (for robust stateless authentication):

frontend_dast:
  parallel_workers: 3
  scope:
    pages:
      blocklist_element_selectors:
        - "button:has-text('Logout')"

Advanced Scenarios

Large-Scale Application Configuration

Large e-commerce sites with thousands of product pages require efficient crawling strategies:

frontend_dast:
  max_duration: 240
  parallel_workers: 3
  security_checks_enabled:
    - PASSIVE_PAGE_CHECKS
    - API_CHECKS
  scope:
    pages:
      blocklist_patterns:
        - ".*/product/[0-9]+/reviews.*"
        - ".*/category/.*/page/[0-9]+.*"
      max_parameterized_url_variations: 5

This configuration balances comprehensive coverage with practical scan duration by avoiding repetitive content patterns.

Session-Based vs Token-Based Authentication

Session-Based (Stateful): Applications using server-side session storage require integrated_authentication: true to prevent session conflicts.

Token-Based (Stateless): JWT or similar stateless tokens with long TTL function reliably without integrated authentication.

Multi-User Session Management

When scanning with multiple authenticated users, session management configuration applies uniformly across all authenticated user contexts.

Cross-Domain Session Management

Applications with authentication domains separate from application domains require auth domain inclusion in scope:

frontend_dast:
  scope:
    exploration:
      in_scope_domains:
        - app.example.com
        - auth.example.com