Logout detection – Introduction and tips
Both Invicti Enterprise and Invicti Standard offer three options for handling logout detection:
- Redirect-based logout detection
- Keyword-based logout detection
- Disabling the logout detection mechanism
If you encounter any issues during logout detection, refer to our Logout detection issues.
For Authentication for unsupported forms, refer to the linked documents to configure custom scripts for form authentication:
- Invict Standard - Form authentication – Create and verify custom scripts
- Invicti Enterprise - Form authentication – Create custom scripts
This document covers the first two logout detection methods and includes guidance on choosing the right one.
Redirect-based logout detection
To detect the logout mechanism, Invicti sends a request to the login page without an active session. If the request results in a redirect to a different page, Invicti recognizes that page as an indicator of a logged-out state. Consequently, whenever Invicti encounters the redirected page, it determines that the current session has been terminated.
Many websites redirect users back to the login form page when a restricted page is requested anonymously without a valid session. If your website does this, you must specify the URL to which users are redirected when they try to access a password-protected page without a valid session, and Invicti will detect a redirect-based logout.
To do this, Invicti makes an anonymous request to a login-required URL and identifies a redirect-based logout if an HTTP 30x redirect response is detected. Invicti simply uses the last URL that the form authentication simulation requested as the login-required URL. (For example, the form authentication simulation may use a URL such as http://mysite.com/Dashboard/.)
You can use wildcards in the URL. For example, if your web application adds a random ID in the URL when accessing the login page, you can use the following URL with a wildcard:
https://www.example.com/login.aspx?path=* |
This allows Invicti to handle dynamic or session-specific login URLs and detect logout scenarios reliably.
However, in some cases, it may be necessary to modify the Redirect URL Pattern. For example, if a request is sent to dashboard.php without an active session, the application may redirect to:
/login.php?return_url=%2fdashboard.php |
This redirect mechanism is designed to return the user to the original page (dashboard.php) after logging in.
If Invicti detects the return_url parameter in this login URL, it may later encounter a scenario where the session ends while visiting contact.php. In this case, the application would redirect to:
/login.php?return_url=%2fcontact.php |
Since this URL does not match the previously detected Redirect URL Pattern, Invicti may fail to recognize that a logout has occurred, potentially causing the scan to terminate prematurely.
To address this issue, the Redirect URL Pattern should be updated using a wildcard character:
/login.php?return_url=* |
By applying this pattern, Invicti can correctly detect logouts, regardless of the specific value in the return_url parameter.
Keyword-based logout detection
Some websites may not issue a redirect when an anonymous request is sent to a login-required URL, or when the login-required URL displays a page that closely resembles the authenticated page. In such cases, Invicti will detect a logout using a Keyword-based logout method. This type of logout detection identifies a logged-out session by searching for specific keywords in the HTTP responses. If all specified keywords are found in a response, Invicti determines that the session is logged out or has been invalidated.
When using this method, you can define as many keywords as you like. Invicti will require that all the specified keywords be present in the HTTP response to confirm a session has been terminated. You can also use regular expressions (RegEx) to define more complex keyword patterns. If you use RegEx, be sure to check the Is Regex? box next to the keyword pattern.
It is essential to ensure that the keywords you define appear only on the logout page. If these keywords are found on any other page during the scan, Invicti may incorrectly assume a logout has occurred and attempt to log in again. To improve accuracy, avoid using generic keywords and prefer more specific RegEx patterns. For example, instead of using "username" as a keyword, which might appear on multiple pages, you can use a more specific RegEx pattern like:
<input .*username.*> |
This pattern ensures a stricter match and prevents unnecessary login attempts.
Additionally, be cautious about keyword patterns matching .js and .css files, as this could lead to logout detection issues. To avoid this, exclude URLs containing these files from the scan. This ensures that Invicti can continue to request these files for site functionality without misinterpreting their content as a logout signal.
Choosing the right logout detection method
If your website follows a redirect-based logout structure, we recommend using Redirect-based logout detection, as it provides more reliable results. Ensuring that manually selected keywords are exclusive to logged-out pages can be challenging.
If neither method aligns with your website’s structure or causes issues, you can disable logout detection by selecting None. However, ensure that pages triggering a logout are excluded; otherwise, Invicti may continue scanning even after the session ends.
Impact on security scanning
Logout issues can interfere with security scanning, leading to extended scan durations and less accurate results. The solutions provided here help Invicti maintain an active session throughout crawling and scanning, reducing scan time and improving the accuracy of the assessment.