TOC & Recently Viewed

Recently Viewed Topics

Configure Cookie Authentication

These steps describe how to check the authentication values for the Cookie Authentication option in the Credentials settings for the Web App Overview and Web App Scan templates.

These steps assume that you already have a cookie authentication form ready to test your credentials.


  1. For the web application you want to scan, access the cookie authentication page.

  2. Type your credentials as necessary.

    cookie authentication test page

  3. Upon successful authentication, in the browser console, locate the call that performs the authentication. In this example, the call is login.

    The Cookies tab displays one or more key/value pairs. In this example, the pair is was-session and

    cookie authentication console

  4. In Web Application Scanning, either create a new scan, or access the scan settings for which you want to add credentials.
  5. In the scan settings, click the Credentials tab.
  6. Click General.
    1. In the Authentication Method drop-down box, select Cookie Authentication.
    2. In the Session Cookies box, type the key/value pairs that you retrieved in step 3.
    3. In the Page to verify active session box, type the URL for the cookie authentication form.
    4. In the Regex to verify active session box, type the regex to match when the credentials are correct.

      Note: In many cases, the regex is text that appears on the login page (e.g., Login Successful!)

      general settings

  7. Click the Save button.

    When you launch the scan, the Cookie Authentication Succeeded plugin appears in the scan results.

    cookie authentication succeeded plugin

    If the Cookie Authentication Failed plugin appears, the output indicates the reason for the failure.

    If the page did not authenticate successfully, there is an issue with the cookies sent to the scan.

    If the page did authenticate successfully, there may be an issue with the regex you defined.

    cookie authentication failed plugin

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable,, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.