The Acunetix Login Sequence Recorder can be used to test password-protected areas of your website automatically.

In order to scan a form-based password protected area, you will need to make use of a Login Sequence during the scan. The Login Sequence can be configured from the Target settings page in the General tab using the Login Sequence Recorder (LSR). A Login Sequence is used to perform the following tasks during the crawling and a scanning phases.

  • Access form-based password protected area
  • Replay login actions to authenticate to the website or web application
  • Restrict actions which the crawler and scanner can access (such as logout links)
  • To mark actions that require Manual Intervention each time they are accessed, such as pages with CAPTCHAs, one-time password and two-factor authentication.

A new Login Sequence may be created by following the steps below.

  • Navigate to the Targets section from the left-hand-side menu
  • Select the Target for which you wish to record a Login Sequence
  • From the General settings tab, enable the Site Login pane, and select Use pre-recorded login sequence
  • Launch the LSR by clicking on the Launch Login Sequence Recorder link.
    If you are using Acunetix on Linux, you can launch the Login Sequence Recorder from Terminal by running acunetix-login-recorder.

Target Settings - Login Sequence

After launching the Login Sequence Recorder, your browser may pop up a confirmation dialogue that you wish to open up the LSR. Click on Launch Application or Open link (depending on your browser) to open the Login Sequence Recorder.

LSR Protocol Handler Browser Notice

By default, the LSR will browse to the Target URL that you are configuring the Login Sequence for.

LSR - Navigate to URL

You may start browsing to the login page and perform a successful login. Remember to use correct and valid credentials. With each action that is recorded, the panel on the right will start to be populated with login actions. Since the LSR is recording actions and not HTTP requests, it also works with web applications that make use of anti-CSRF tokens.

Once logged in, you may wish to replay the actions as to ensure that the Login Sequence is valid and is logging in successfully. This can be done by clicking on Play at the bottom-left of the screen.

LSR - Record Login Sequence

The right-hand-side pane shows a list of actions that have been recorded. Clicking on a specific action will reveal Action Properties.on the bottom right-hand-side of the screen. Click next to record restrictions.

Recording Restrictions

Restrictions instruct the Crawler and Scanner not to follow specific links during a scan. Typically, you would want to restrict logout links or other links that might destroy a valid session in order to ensure that the scanner does not get logged out during the scan. The LSR also supports restrictions on HTTP methods commonly used in RESTful web services such as PATCH, PUT, DELETE in addition to the standard GET and POST requests.

If the link you are restricting contains a nonce or a one-time token, you may use wildcards (*) to restrict links with changing values. A Restriction may be set by following the steps below.

  • Click on the link that you wish to restrict.
  • Upon clicking the link, a dialogue will pop up asking if you wish for Acunetix to either
    • Intercept this request (either in its exact form or by using wildcards)
    • Forward such requests which match this request
    • Forward all requests, meaning that there will be no restrictions
    • In this example, we do not need to make any modifications to the Restriction, therefore we can select the first option – Restrict request using exact match
  • The Restriction will be recorded, and shown in the panel on the right. You may add as many restrictions as you need.

LSR - Restrict Link

Identifying a Valid Authentication Session

In the final step, the LSR will try to identify a valid session automatically. The session pattern is required, so that the Scanner will be able to know the difference between an invalid (logged out) and a valid (logged in) session. If the scanner is able to know that the session has been invalidated, it can replay the login sequence and validate the session again.

This is done by comparing the logged in and logged out states of the web application. There may be cases where no difference can be identified automatically. In such cases, you will need to either configure it by navigating to pages and let the LSR identify the pattern, or it can also be done manually. In addition to authentication mechanisms that rely on cookies, the LSR also supports authentication mechanisms that rely on HTML5 LocalStorage.

LSR - Session Detection

While Navigating

  • This can be done by browsing to authenticated areas of the website that will return a different response depending on the user being logged in or logged out.
  • For example, a response from the website will contain the text “Logout” if the user is logged in. If it is not found in the response, the user is not logged in.


  • The session validation can be manually configured by choosing both the request being sent and the pattern returned.

The session pattern may be verified by clicking Check Pattern at the top of the right-hand-side panel.

Once you click on Finish you will be prompted to save the .lsr file. Upload this saved file onto the Scan Target settings page.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

  • Hi,

    The User Agent that is used the Login Sequence Recorder (LSR) is the one that is selected in Configuration > Scan Settings > HTTP Options > User agent string.

    What technologies are used in your web site? Ideally, you get in touch with our support team, so we can get first hand experience of your website.

  • Hi,

    Testing all the web forms of the web application is an essential part of the scan. Testing involves submitting each web form multiple times. You should use the Login Sequence Recorder to restrict all the HTTP requests that you do not want the scanner to make, including clicking on buttons which delete users for example.

  • If you are referring to client certificates, in Acunetix WVS, the Login Sequence Recorder will automatically use any client certificates that you set up from Configuration > Application Settings > Client Certificates. Acunetix WVS will WVS will automatically decide which certificate to use based on a request’s URL.

  • Hi,

    You can insert a Manual action when you are recording the Login Actions using the Login Sequence Recorder. When the Login Sequence is replayed during the scan, you will be asked to insert the data required to proceed with the login.

  • Hi Steve,

    Yes, the latest version of the Acunetix LSR should support better SPA. I would recommend that you contact our support team so we can verify your SPA.

    The last step in the LSR is the part which detects the pattern that is used to identify a valid session. The LSR tries to do this automatically.
    Automatic detection is not always possible. In such cases, the LSR will go in manual browsing mode, where you will need to browse parts of the site which are only available once the user logs in (e.g. the user profile page or similar).

  • Hi,

    did you already configure the client certificate in Acunetix > Configuration > Application Settings > Client Certificates?

  • Hi Nazim,

    Thank you for your comment.

    The Login Sequence Recorder does support JavaScript. Perhaps it would be best to get in touch with our Support Team on to look into your issue in more detail.

  • Hi,

    We are using Acunetix 11 – web version that we just upgraded to (we were using v10.5). I have created a login sequence, which works, and have saved it however when I try to attach it to a target I get an error message:

    Login sequence has not been completely uploaded.

    With Retry and Dismiss options – neither of which allow me to progress and actually save and then start the scan.

    Thinking it was perhaps a browser issues, I’ve tried multiple browsers with the same result. Wondering if it perhaps my permissions – I’m not a full admin, but a Tech Admin – so I can create and add targets.

    Any light you can shed on this please?

    • Hi Jesse,

      Thanks for your comment.

      Since we might need to take a look at some logs to find out what’s causing this, the best thing to do in this case would be to get in touch with our Support Team at for them to take a closer look into your issue.

  • Hi, I just upgraded to Acunetix 11 and I’m facing an issue. The website I have to scan uses a 2 factor authentication that require a manual intervention (code sent by text message on cellphone). With the new LSR doesn’t allow me to insert a manual action.

    How can I solve this issue ?

    • Hi Robert,

      Manual intervention will be re-introduced in Acunetix v11 in January 2017. Please scan this site using Acunetix v10.5 in the meantime.

  • Hi,
    I upgraded from 10.5 to 11 recently and the login sequences do not work any more. I record them successfully, with session detection and restriction, but when I use them during a scan, an error appears “The login sequence for xxxx is invalid”

    • Hi,

      the login sequences recorded in v10.5 should also work in v11. Please contact our support team ( so we can check why your login sequence files are not working in v11.

  • Hello,
    Do we know yet when manual intervention will be released for V. 11?

  • It is now the middle of February 2017. When can we expect manual intervention to be made available in v11?

  • HI,

    I tryed to use Acunetix v11 and v10.5 scan the same target. I could not use the login sequence recorder in v11, it always told me “login sequence not found”, but v10.5 it was work. Even I used the .lsr file which was created by v10.5, still not work in v11.

    I’m sure I got these messages “Pattern was successfully verified” and “Login Sequence Recorder has successfully identified a pattern to use for deteting session validity”.

    Please tell me what can I do.

    v11 version: 11.0.170471153

  • Hi,

    I was trying to find any reference or user guide which would explain whether the LSR could work with Silverlight applications?

    • Silverlight has been deprecated by Microsoft, and it is not supported by the major browsers. We do not use it in our testing.

  • I was using the crawler to see how deep it was scanning my web application. When i used the normal auto-login it only scanned 50 URLS in my website. I had to use the login sequence recorder to make sure my whole website was crawled (around 200 URLS). Now i’m trying to launch a scan but it’s taking so long, i’ve been scanning for 2,5 hours and it’s still at 1%. How can i make sure my website gets crawled correctly or how can i speed up my scan?

    • @Eliah : What was the reason behind the lesser crawling of urls? Is it resolved, could you please let me know. Even I am facing them. What I am doing is recording the login sequencer with navigation to almost all the pages, then only i am able to see more crawled location.

  • Hello,

    How much does this sistem cost?
    How much time does the license heve?

    Best regards,

  • My application uses SAML 2.0 for authentication.
    Do acunetix provide support for SAML2.0?

  • Our API auth yields a JWT that must be provided in a header. Is this model supported?

    • Hi Barry,

      Yes, you may set custom headers from Target > Advanced > Custom Headers. Feel free to get in touch with our Support Team ( if you need further assistance

  • Hi,

    our login page is plain HTML and that part works fine with Login Sequence Recorder. However, everything else in our site is created with REACT and for some reason Login Sequence Recorder shows these parts as blanc pages. Should acunetix work with pages built with REACT?

    • Hi,

      This really depends on how you are using REACT. I am assuming that the site works on major browsers (Chrome, Firefox and Edge). If that is the case, I would recommend that you contact our support team (

      Thank you

  • Hi,

    My website is using two-factor authentication that when I login to the site using username and password, it will generate a random number and send to my email address. The random number needs to be input to the website for another layer of authentication.
    May I know how can the Acunetix web scanner record this login sequence?

    Thank you

    • Hi, you will need to use manual intervention for such sites. When recording the the login actions, click on the icon with the key, and select “manual”.

      During the scan, when Acunetix encounters manual login actions, the scan will pause and you will be requested to provide the one time random number. You will need to have the Acunetix UI open so you can provide this.

  • Hi,
    I have 2 questions. First, my website requires CAPCHA code, and I have recorded a login sequence with manual intervention. And then I need to type the capcha code manually by clicking the “notification” icon, and click the “resolve this issue” once I start the scanning. Then ” The login sequence for x.x.x.x is invalid ” is shown in “Activity” part but the scanning still in processing. So i was confused by this message whether the login sequence is valid for scanning?
    Second question, can I configure the scanning profile ?

    Thank you

  • Hi,

    When the Login Sequence is deemed invalid, the scanner will proceed to scan the non-restricted areas of the site.

    I am not sure what you mean by scanning profile. You can configure the settings which will be used by the scanner for each Target. This is done in the Target’s settings. You can also configure custom Scan Types. This can be done from the Settings page > Scan Types.

  • Hi, This setup is not working for me. I can’t define separate login form and the system is not finding it automatically. Theoretically, I could use lsr file, but I must use Windows, even I’m on cloud version of Acunetix. Pretty clumsy guys!

    • Marko,

      The Login Sequence Recorder is currently only available on Windows. Check the latest updated Acunetix Online, which includes an updated auto-login system. Should the problem persist, please provide us information on the site and the login form, so we can identify why the login form is not being detected automatically.

  • Hi, I got a problem in login sequence with the website which has a verification code and it needs Java to be enabled to load the website. The problem is the website is not loading properly to allow me to enter the credentials and make a login a sequence file. Is there any place that I can enable the Java or Acunetix is using the default browser settings of the Windows machine?

    • Hi,

      The Acunetix LSR does not support loading JAVA applets. You might want to contact our support team and provide details about the site, so we can confirm this.

  • Hi,
    I tried running a scan using login sequence, but it got failed with below error:-
    {“data”:”There was an error checking session validity”,”kind”:”ls_error”,”address”:”x.x.x.x”,”scanId”:”acxxxxxx-fxxx-4xxx-9xxx-b0xxxxxxx”,”targetId”:”43xxxx-4xx-4xxx-axxx-0xxxx”,”scanningApp”:”wvs”}
    Can someone please let me kow what is the issue here and how I can overcome this.

    Many thanks in advance.

    • Hi Ajay,

      Thank you for your comment. This would generally mean that the LSR file is either not configured properly in terms of session detection pattern, or the website is behavior in a particular way. It would be best to get in touch with our support team over at regarding this issue as they would be able to troubleshoot it further.

  • Hi,
    If I want to use the LSR do i have to use it only on the server it’s installed on?

    I get errors when trying to use LSR anywhere else.

    • Hi,

      That is correct, currently the LSR must always be used on the machine that Acunetix is installed on.

  • I’m using Acunetix LSR v11.x. When using it to record a login sequence, the website says that cookies are disabled, which is weird. I don’t see any place to enable them in LSR. Can this be done? if so, where?

    • Hi Robert, thanks for your comment. At first glance, we would recommend moving to Acunetix version 12, as it brings a large number of changes and fixes. That said, the LSR would accept Cookies without any issues as they are required in order to correctly create and maintain a session. In this case, it would be best to get in touch with and further explain why the application is returning such an error. That way, they can take the troubleshooting steps necessary to solve the issue.

  • Hi, I have a site that has 4 different login types that show different data once logged and navigate different pages. I have recorded all 4 login options. Is it possible to pass all 4 login sequences to the scan at the same time or do I need to pass them into 4 separate scans? When I am using the “Use pre-recorded login sequence”, it seems I can only select one .lsr file at a time.

    • Hi Colin,

      Thank you for your comment. You can only bind one login sequence to a target at a time. If you want to use multiple there are generally two options:

      – Four separate targets with distinct LSR files (preferred due to better filtering)
      – Changing the Target’s LSR file after each scan

      Hope this answers your question.

  • Will the manual input (for 2FA) functionality be available for the online version of the scanner any time soon?

  • Hi
    I see an error message “Failed to load page
    URL: **********
    Network error code 1
    Connection refused
    Please fix the error and try reloading the page.” in login sequence page While it(site) opens on Firefox and other browser . How can i solve it?


    • Hi Khademi,

      This would indicate that there is a network issue when trying to connect to the web application in question. This could be due to the web application being on a different network, or requiring a proxy to connect to it. In either case, it would be best to get in touch with our Support team over at as they would be able to assist you further.

  • My application uses OTP based 2FA. How do I record the LSR. Everytime the request is generated, a new OTP is generated

    • Hi Prashant,

      You will need to record a login sequence, and manually add a Manual Intervention action when you need to use the OTP 2FA. During the scan, when the login actions are replayed, you will be asked to provide the OTP for the scanner to continue with the scan.

  • Hi,
    My application uses windows authentication for login. We don’t need to provide the username and password explicitly. The application automatically gets the user details from the browser (user credential used to run the browser).
    With build 12.0.190206130, when I try to record the login sequence, it takes the username as Domain/Machine_Host_name which is not correct. It doesn’t fetch the user details from the browser instance. With the previous version, it was working fine but with this update, this is failing. Do we have any setting to make the default login?

    • Hi,

      I doubt this was working in previous builds. It might have worked in the previous version of the Login Sequence Recorder, since this is started in the user context of the logged on user. However, during the scan, the Login Sequence would be executed by the scanner executable which is started as LocalSystem. This would have resulted in Domain/Machine_Host_name.

      I think the only way to successfully scan such a site would be to provide valid credentials in HTTP Authentication.

  • Hi,

    I am trying to set up the LSR but it won’t let be click “Finish” to save. I have completed all the steps but “Finish” won’t do anything. Any tips?

  • Comments are closed.