Header Based Session Management

This add-on adds a new session management type which supports an arbitrary number of headers.

If used in conjunction with Browser Based Authentication or Client Script Authentication then it will also maintain all of the cookies and any headers with names containing the strings "auth" or "csrf" (ignoring case) set as part of authentication.

The header values can include the following tokens:
     {%json:path.to.data%} JSON authentication response data
     {%env:env_var%} Environmental variable
     {%script:glob_var%} Global script variable
     {%header:env_var%} Authentication response header
     {%url:key%} Authentication URL param

Automation Framework

Header Based Session Management can be configured in the environment section of an Automation Framework plan using: 
      sessionManagement:
        method: "headers"
        parameters:                    #  list of header: value pairs which can include any of the tokens defined above, e.g.
          Authorization: "Bearer: {%json:AuthenticationResult.AccessToken%}"

API

Header Based Session Management can be configured via the ZAP API, using the following parameters: 
    contextId
    methodName
    methodConfigParams
For example:
contextId1
methodNameheaderBasedSessionManagement
methodConfigParamsheaders=Authorization:Bearer 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918

When adding Header Based Session Management via the API the headers parameter is a string of header:value pairs separated by newline characters: \n.

Note that due to restrictions in the core:

These restrictions will be addressed in a future release.

Latest code: HeaderBasedSessionManagementMethodType.java