How to perform Cookie Authentication with Website Scanner

The Cookies Authentication Method allows the user to make an authenticated scan by having a valid cookie header in the target application.
Written by Cristin Sirbu
Updated 2 years ago

HTTP Cookies are pieces of data that a web browser receives from the server and are usually used to identify the web session of a user (they are also called session cookies). 

After receiving a session cookie, the browser sends it with each HTTP request that it makes to that server. It is helpful to know that the request is associated with that particular user.


Since our Cookie-based Authentication Method mimics the behavior of a web browser that already has a session cookie, it is compatible with nearly all types of web applications that are using cookies to authenticate users. It requires the user to insert a valid session cookie in the ‘Cookie header’ field.

How to set it up

The session cookie must be taken from an already established web session (you need to manually login to your web app and get the cookies from your browser). In order to obtain the Cookie, please follow the steps in our “How to get the Session Cookie” article.

⚠️ In order for this kind of authentication to work, you’ll need to make sure to leave the logged-in session active through the duration of the scan. In other words, don’t log out of your authenticated session until it’s finished!

You can check authentication by clicking on the "Check authentication" button.

You can then check if the cookie is correct by using the “Check authentication” button. If the authentication is valid, the request should return a window showing the target webpage in authenticated mode. Otherwise, it will return a blank window.


If you encounter any errors when clicking on check Authentication or if you notice an Authentication error message when you start the scan you should check that:

  • The Cookie header is introduced correctly;
  • You still have an active session (the cookie is still valid);
  • The cookie header should only contain the cookie name and value sets. Ex: cookie_name1=cookie_value1; cookie_name2=cookie_value2; cookie_name3=cookie_value3;

Possible Errors

1. The Cookies method authentication is successful but the scan fails

Cause: If your cookies are renewed very often (for example every 5 minutes) then the scan will fail. A website scan could take several hours to complete. If those cookies will no longer be valid after 5 minutes, the scanner will process valid requests just in the first 5 minutes.

Solution: If possible, increase the lifetime of the cookies in your target web application. Otherwise, try the Header authentication method. However, you should pay attention to the lifetime of the headers (which might include cookies and tokens).

2. The cookie size is larger than 5000 characters.

Solution: None. This is a limitation of the scanner.

3. Your target application doesn’t use cookies to authenticate users.

Solution: Use the Header method.

If your cookies authenticated scan still fails, you should try one of the other authentication methods: Automatic, Recorded, Header
Did this answer your question?