tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/13000-session-check-pattern-for-a-spaArachni: Discussion 2018-10-19T07:41:51Ztag:support.arachni-scanner.com,2012-07-01:Comment/406041012016-08-24T16:51:41Z2016-08-24T16:51:41ZSession Check Pattern for a SPA<div><p>Authentication happens server-side though right?<br>
There must be an HTTP request you can make to determine a valid
session.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/406041012016-08-24T18:49:10Z2016-08-24T18:49:10ZSession Check Pattern for a SPA<div><p>I am not the developer of the application, but I have studied
the traffic flow.</p>
<p>The application will POST XML to an endpoint at a configured
interval. The XML includes the Security Token received after
successful authentication. The server returns a JSON response,
which is processed client-side. Based on that response, the page is
modified to re-enable the login section of the HTML if the session
has expired.</p></div>Franktag:support.arachni-scanner.com,2012-07-01:Comment/406041012016-08-25T14:20:22Z2016-08-25T14:20:22ZSession Check Pattern for a SPA<div><p>You can post something similar to determine the session status
based on the response, see: <a href="http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session#advanced-session-check-configuration">
http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...</a></p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/406041012016-08-29T14:41:22Z2016-08-29T14:41:22ZSession Check Pattern for a SPA<div><p>I'll take a look at this today to see if that will work.</p></div>Franktag:support.arachni-scanner.com,2012-07-01:Comment/406041012016-09-22T17:48:41Z2016-09-22T17:48:41ZSession Check Pattern for a SPA<div><p>Sorry for the delay in responding. This has not been
resolved.</p>
<p>For session check, we need to POST an XML message, and read a
message in the JSON response to determine if the session is still
valid.</p>
<p>In addition, part of the XML message needs to contain the
security token. The token for the message needs to be retrieved
from an Angular service.</p>
<p>How can we perform this?</p></div>Franktag:support.arachni-scanner.com,2012-07-01:Comment/406041012016-09-23T11:46:00Z2016-09-23T11:46:22ZSession Check Pattern for a SPA<div><p>Not sure how to get the security token, is it stored in JS?<br>
If so you can evaluate JS and extract it with something like:</p>
<pre>
<code>token = browser.execute_script( 'return getToken();' )</code>
</pre>
<p>Then, you can set more complex log-in <a href="http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session#advanced-session-check-configuration">
options</a> at the end of the login script, something like:</p>
<pre>
<code>session.check_options = {
method: :post,
body: "<xml><token>#{token}</token></xml>"
}</code>
</pre></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/406041012016-10-17T15:46:48Z2016-10-17T15:46:48ZSession Check Pattern for a SPA<div><p>We can close this. We have found another solution. Thanks!</p></div>Frank