StackHawk
Hamburger Icon

Multiple Cookies
and Token Authentication:
Enhancing API Security

Alberto Fidalgo

Alberto Fidalgo|August 8, 2023

Enhance security measures by implementing advanced authentication techniques. Explore the benefits of token and cookie-based authentication and learn how to integrate them effectively using HawkScan.

Authentication is a critical aspect of software development, ensuring that only authorized users can access sensitive information or perform specific actions. While traditional username and password authentication has long been the norm, modern software solutions are increasingly adopting more advanced methods, such as multiple cookies and token authentication. These techniques not only bolster security but also provide a seamless user experience. In this blog, we will explore the benefits and applications of multiple cookies and token authentication in software.

What is Multiple Cookies and Token Authentication?

Multiple cookies and token authentication involve using custom tokens or cookies to authenticate users instead of relying solely on a username and password. These tokens or cookies act as authorization credentials, granting access to specific resources or functionalities within an application.

Tokens are typically used in API key access or third-party authentication services like OAuth. They are generated by the server and provided to the client, who includes them in subsequent requests to prove their identity. Cookies are also generated by the server as small pieces of data stored on the client side and sent with each request to the server.

Benefits of Multiple Cookies and Token Authentication

1. Enhanced Security: Tokens and cookies provide an additional layer of security by separating authentication from the actual user credentials. This reduces the risk of exposing sensitive information, such as passwords, during the authentication process.

2. Scalability: Tokens and cookies can be easily generated and managed, making them ideal for scenarios where multiple users need to access an application simultaneously. This scalability ensures that the authentication process remains efficient and reliable.

3. Third-Party Integration: Many applications rely on third-party authentication services like OAuth. By supporting multiple cookies and token authentication, software can seamlessly integrate with these services, providing a seamless user experience.

4. Granular Access Control: Tokens and cookies can be tailored to grant specific permissions or access levels to different users or user groups. This fine-grained control allows for more precise authorization and reduces the risk of unauthorized access to sensitive resources.

Implementing Multiple Cookies and Token Authentication

To implement multiple cookies and token authentication in your software, you can leverage the capabilities of HawkScan, a powerful security testing tool. HawkScan allows you to supply authorization tokens or cookies externally through its `authentication.external` configuration.

The configuration consists of three main parts:

1. Logged In/Out Indicators: These indicators help HawkScan determine if it is logged in throughout the scan. You can define regex patterns or HTTP response codes that indicate a successful login or logout.

2. Auth(Z) External Injection: This section allows you to specify the tokens or cookies that will be injected into each request sent by HawkScan. You can define the type (TOKEN or COOKIE), name, value, and optional token type for each token or cookie.

3. Test Path: HawkScan needs a test path to verify if the authentication was successful. This path should only be accessible when the user is logged in. You can define the path, expected success response pattern, and request method (GET, POST, etc.).

By configuring these sections in your `stackhawk.yml` file as shown below, you can seamlessly integrate multiple cookies and token authentication into your software.

app:
  applicationId: ${APP_ID:test-app}
  env: ${APP_ENV:Multi Cookie Auth}
  openApiConf:
    path: /openapi
  host: ${HOST:https://localhost:9000}
  excludePaths:
    - "/logout"
    - "/login-form-multi"
    - "/login-code"
  authentication:
    external:
      values:
      - type: COOKIE
        value:
          name: "XLOGINID"
          val: ${XLOGINID}
      - type: COOKIE
        value:
          name: "JSESSIONID"
          val: ${JSESSIONID}
    testPath:
      path: /login-multi-check
      success: ".*200.*"
    loggedInIndicator: "\\QSign Out\\E"
    loggedOutIndicator: ".*Location:.*/login.*"


Multiple cookies and token authentication provide enhanced security and flexibility for API-driven applications. By leveraging tokens or cookies as authorization credentials, you can ensure that only authorized users can access sensitive resources or perform specific actions. HawkScan's support for multiple cookies and token authentication makes it easy to test even the most gated paths of your application.


Alberto Fidalgo  |  August 8, 2023

Read More

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Add AppSec to Your CircleCI Pipeline With the StackHawk Orb

Application Security is Broken. Here is How We Intend to Fix It.

Application Security is Broken. Here is How We Intend to Fix It.

Using StackHawk in GitLab Know Before You Go (Live)

Using StackHawk in GitLab Know Before You Go (Live)