Multi-user Login Scans
Applications that allow only a single active login session per user prevent multi-threaded scanning. With multiple logins, the threads invalidate each other's state, resulting in slow scan times.
A solution to this problem is to convert the recorded credentials in a login macro to parameters and use multiple login accounts with the same application privileges. You can use the Multi-user Login option in the Scan Settings: Authentication window to parameterize the username and password in a login macro, and define multiple username and password pairs to use in a scan. You can also parameterize the phone number, email, and email password if two-factor authentication is required.
This approach allows the scan to run across multiple threads. Each thread has a different login session, resulting in faster scan times.
Before You Begin
You must use a parameterized login macro to configure a multi-user login scan. For more information, see the "Working with Parameters" topic in the
Known Limitations
The following known limitations apply to the multi-user login feature:
-
When using this feature, Fortify WebInspect does not detect several login-related Securebase checks.
-
This feature currently supports only shared requestor threads. Using default scan settings with separate crawl and audit threads is not supported. For more information, see Scan Settings: Requestor.
-
The scan does not distribute the work equally among the multiple users logged in. For example, one configured user might use up to 75% of the scan activities while all other users are allocated to the remaining 25% of scan activities.
Process Overview
To configure a multi-user login scan, use the process described in the following table.
| Stage | Description |
|---|---|
| 1. |
Set the shared requestor to the desired number of users. For more information, see Scan Settings: Requestor. Important! The number of shared requestor threads should not be more than the number of configured users. Requestor threads without valid users will cause the scan to run longer. Remember to count the original username and password in the parameterized macro as the first user when you configure multiple users. |
| 2. | Ensure that you have a login macro with parameterized username and password. Optionally, parameterize the phone number, email, and email password if two-factor authentication is required. For more information, see the "Working with Parameters" topic in the |
| 3. | In the Basic Scan wizard or Guided Scan wizard, enable the multi-user checkbox as described in Configuring a Multi-user Login Scan. |
| 4. | Add credentials for multiple users as described in Adding Credentials. |
| 5. | Continue through the scan wizard as normal and conduct the scan. |
Configuring a Multi-user Login Scan
To configure a multi-user login scan:
-
Do one of the following:
-
From the Basic Scan wizard, click Edit > Current Scan Settings. Then, select Scan Settings > Authentication.
-
From the Guided Scan wizard, click Advanced in the ribbon, and then select Scan Settings > Authentication.
-
-
Select the Use a login macro for forms authentication checkbox.
Important! You must select this checkbox to enable the multi-user login option.
-
Do one of the following:
-
To record a new macro, click Record and record a login macro as usual.
Note: The Record button is not available for Guided Scan, because Guided Scan includes a separate stage for recording a login macro. After recording the macro, you must parameterize the credentials.
-
To use an existing macro, click ... and select a saved macro that already has parameterized credentials.
-
-
Select the Multi-user Login checkbox.
Note: If you clear the Multi-user Login checkbox prior to running the scan, the additional credentials will not be used during the scan. Fortify WebInspect will use only the original credentials recorded in the login macro.
-
Continue as follows:
-
To add a user’s credentials, go to Adding Credentials.
-
To edit a user’s credentials, go to Editing Credentials.
-
To delete a user’s credentials, go to Deleting Credentials.
-
-
After configuring the user's credentials, continue through the scan wizard as normal and conduct the scan.
Adding Credentials
To add credentials:
-
Under Multi-user Login, click Add.
The Multi-user Credential Input dialog box appears.
-
In the Username box, type a username
-
In the Password box, type the corresponding password.
-
Optionally, if two-factor authentication is required, then continue according to the following table.
For this credential box... Enter this... Phone Number Corresponding phone number for the username (to receive SMS responses) Email Corresponding email address for the username (to receive email responses) Email Password Password for the email address (to receive email responses) -
Click OK.
-
Repeat Steps 1-5 for each user login to add.
Important! The number of shared requestor threads should not be more than the number of configured users. Requestor threads without valid users will cause the scan to run longer. Remember to count the original username and password in the parameterized macro as the first user when you configure multiple users. For more information, see Scan Settings: Requestor.
Editing Credentials
To edit credentials:
-
Under Multi-user Login, select an entry in the table and click Edit.
The Multi-user Credential Input dialog box appears.
-
Edit the credentials as needed.
-
Click OK.
Deleting Credentials
To delete credentials:
-
Under Multi-user Login, select an entry in the table to be removed.
-
Click Delete.