Here is how to replay a session cookie by capturing the cookie and then adding the cookie to your web application settings before launching a scan. Note this workaround is not a solution for scheduled scans since session cookies will time out automatically, typically 20 minutes after the session has been idle on the web site.
You can use a web application proxy or other software to capture a session cookie.
If you don't already use a web application proxy then you can use a software application, such as the Fiddler application, as described below.
Important! The use of the Fiddler application for capturing a session cookie is not supported by our security service. We describe the use of the Fiddler application to show how you can easily capture a session cookie using third party software of your choice to perform this task.
1 Go to the website http://www.fiddlertool.com/Fiddler2/version.asp and click on Install Fiddler2 to either install directly or download this application.
2 Install the application. It should be really straightforward.
3 Go to the login page of the web site you want to scan with Internet Explorer. (Note the Fiddler application requires IE).
4 Open the Fiddler application. By default it should be already capturing the traffic; if not, you can go under File and see if there is a check mark next to Capture Traffic F12. If it’s not checked then do it.
5 On the right pane click the Inspectors Tab and then click the sub-tab Raw (see image).
6 Go back to your login form and authenticate.
7 Once you're authenticated go back to Fiddler and you’ll notice that there are more items with 200 on the left side. Click on the last item with the code 200 and then you should see information appearing on the right top pane (see image).
8 Make sure that the selected item is pointing to the web site that has the cookie you wish to capture (see image in Step 7, on the first line in the purple square).
9 Once you know it's the right web application, simply copy the full value of the Cookie line (see image in Step 7, inside the red square). Here is the value you should use according to the example inside the image:
Cookie: FullName=Saruman+Of+Many+colours; MemberID=1; username=saruman; Test2=My new cookie; ASPSESSIONIDQCSRABSB=JKNJEGBDCPOKIHFPIBCOEMGD
Make sure you get all the lines included in the Cookie header, in this case the two lines.
That's it! You have your session cookie.
Important! Your cookie will be valid as long as the session is valid, usually 20 minutes after it's been idle on the web site. The cookie must be recaptured each time a scan is launched in order to use this workaround. For this reason, this workaround is not a solution for launching scheduled scans.
Insert your session cookie inside the web application settings each time you start a scan.
1 Log into your account and go to Web Applications > New Scan on the left menu.
2 On the New Web Application Scan page, click the Advanced Options link.
3 In the Header Injection input box, simply copy and paste the captured cookie.
4 Click OK.
When you start a new scan, the injected cookie will be automatically passed to the scanning engine as part of the scan request.
Important! You need to start your scan before the injected cookie becomes invalid. Typically a session cookie becomes invalid 20 minutes after the session has been idle on the web site. After this the session cookie is not passed as part of the scan request and the scanning engine will not authenticate.