2.0.09beta - Cookie Jar does not update with scanner
The cookie jar does not appear to update with cookies received during active scans.
The project options were configured to update the cookie jar from both the proxy and scanner. The proxy was working as expected, however no updates were occurring when a scan was running. The application being scanned updates the cookie upon each request therefore updates should have been occurring constantly.
I attempted enabling this setting both during and before running a scan, however neither method had any effect.
I tested this in the last (pre-beta) version of burp I have, 1.7.37, and the cookie jar was being updated as expected when performing the same scan.
If you are using the new “Crawl & audit” feature this is expected behavior. The new crawler and path-aware scanner handles cookies separately. Perhaps we should communicate this in the UI more clearly, but the behavior will not change – it’s just not possible to reconcile a simple cookie jar with the more advanced session handling logic.
If you use “Audit selected items” then the cookie jar is updated just like in Burp 1.