Hi,

thanks for the quick response.

Maybe the web_spider is following the logout link, which is
invalidating the session?

You should ignore logout urls when doing auth scans

I already did by using ignore_regex: "(phpLogout\.php|phpNewPassword\.php)"

By this I hope he does not call any URL with these two scripts inside. Both 
would be bad for the scan.

Yeah, that could be because of the javascript redirect. Maybe try to
set phpAccontSummary.php in the w3af target configuration?

I changed the target to be phpAccountSummary.php. But now it logs in successfully and 
unsuccessfully a few times. It does not spider any other URL's now. It does not find a 
single URL but in "Results", and if I look for this request, I can see that the 
successful requests returned several links but they are not followed at all.

No, lets try with the things I recommended above, if that doesn't work
we'll try giving w3af a cookie via config/http/cookies

Hm. The cookie with the Session-ID is returned by the first call to phpLogin.php. I 
assumed that w3af is using the cookies like a webbrowser does (eg after receiving one, 
always send the content with every further request). But due to the requests in the 
"Results", it does not send the cookie it received before with the next 
requests. It simply does not respect the session cookie. Interestingly, another cookie is 
always used (but there the content is static and no session ID).

Any other idea?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
W3af-users mailing list
W3af-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-users

Reply via email to