What Exactly Are the “Session-in” and “Session-out” Patterns?

Acunetix Web Vulnerability Scanner (WVS) uses “session-in” and “session-out” patterns in order to detect if a logged in session on your website is invalidated and if need to be re-established. Acunetix WVS uses the recorded login sequence defined by the user, to automate the log-in procedure required during a scan. Since Acunetix WVS accesses several different links while launching security tests, this might cause the logged in session to be invalidated. In order to track if the session is still valid, Acunetix WVS uses the “session-in” or “session-out” patterns.

A “session-in” pattern confirms that the authentication session created by the “Login Sequence Recorder” is still valid, while a “session-out” pattern confirms that the authentication session is no longer valid.

Defining a “Session-in” or a “Session-out” Pattern

On the fourth step of your “Login Sequence Recorder” operation you have the possibility to specify a “session-in” or “session-out” detection pattern by clicking the “Setup in-session detection (detection of invalidated sessions)” option. Acunetix WVS offers you several ways to set up your session patterns using the “Setup in-session” mechanism.

Acunetix WVS Set up Session Detection

By clicking the “Detect” button, Acunetix WVS will automatically detect the “session-in” or the “session-out” pattern. If for any reason, the automatic detection is not able to find a “session-in” or “session-out” pattern, then you can manually specify the exact pattern.

Acunetix WVS - Pattern Automatically Generated

The above example shows how to define a text pattern or a link in order to confirm if the session is still valid or not. The text pattern can be plain text or regular expressions.

Acunetix WVS - How to Define Your Pattern

You can highlight the text pattern or link via your web interface or directly from your website’s source code (body). This can be done by simply choosing the “Show in browser” or the “Show raw data” options. Then click on the “Define pattern from selection” to select the desired text pattern or link. When this is done a regular expression will be automatically generated.

The user can specify the location of the session pattern from the “Pattern type” drop-down menu. The different options provided are “In headers”, “Not in headers”, “In body”, “Not in body”, “Status code is” and “Status code is not”.

Acunetix WVS Confirms if a Logged in Session Is Valid

Once selected the desired pattern click on the “Check Pattern” button to confirm that Acunetix WVS can recognize the difference between a logged-in session and a logged-out session.

Keep up to date with the latest news about Acunetix WVS by “liking” the Acunetix Facebook Page, reading the Acunetix Blog and following us on Twitter.

View all the Acunetix FAQs here.


Share this post

Leave a Reply

Your email address will not be published.