Merge pull request #559 from psiinon/dont-auto-forced-user

Dont automate forced user mode

addOns/help/src/main/javahelp/contents/start/features/authentication.html

@@ -7,6 +7,9 @@
 <body>
 	<h1>Authentication</h1>
 	ZAP can handle a wide range of authentication mechanisms.<br>
+	If you are new to ZAP automation then the best place to start is the ZAP 
+	<a href="https://www.zaproxy.org/docs/authentication/">Authentication Decision Tree</a> (external link).
+	<p>
 	Each <a href="contexts.html">Context</a> has:
 	<ul>
 	<li>an <a href="authmethods.html">Authentication Method</a> which defines how authentication is handled. 
@@ -63,17 +66,22 @@ <h2>Configuration example</h2>
     	<li>Define as many users as you need in the Session Properties -> Users section.</li>
 	</ol>
    	After configuring authentication, various actions are available in ZAP. For example, you can now select the user in the 
-   	Spider dialogue. Or, using the Forced User Mode, 
-   	you can force all the interactions that go through ZAP for a given Context to be from the perspective of a User. 
-   	The Forced User Mode is enabled via a button in the toolbar (the one with the user and the lock) and 
-   	is configured via Session Properties -> Forced User Mode.
+   	Spider dialogue.
 	<br>
 	Most of the steps above apply as well for other authentication methods. The only things that change when trying
 	to configure authentication using a different method is step 6. Instead of that, select the authentication
 	method required from the drop-down list and configure it as needed. More details about configuring each type 
 	of authentication can be found in the <a href="authmethods.html">Authentication Methods</a> page and in the 
 	<a href="../../ui/dialogs/session/contexts.html">Context Session screens</a>.
 
+	<h2><a name="forceduser">Forced User Mode</a></h2>
+	When Forced User Mode is enabled then all interactions that go through ZAP for a given context will be 
+	updated to be from the perspective of the specified User.<br>
+   	The Forced User Mode is enabled via a button in the toolbar (the one with the user and the lock) and 
+   	is configured via Session Properties -> Forced User Mode.<br>
+   	<b>Important:</b> Forced User Mode is just intended for manual testing and should not be used in automation -
+   	there are much better alternatives.
+
 	<h2><a name="envvars">Authentication Header Environmental Variables</a></h2>
 	A set of environmental variables are available which allow you to easily add an authentication header to all of the requests that are proxied through ZAP or initiated
 	by the ZAP tools, including the spiders and active scanner: 

addOns/help/src/main/javahelp/contents/start/features/httpsessions.html

@@ -7,16 +7,22 @@
 <body>
 	<h1>HTTP Sessions</h1>
 	<p>This tool keeps track of the existing HTTP Sessions on a
-		particular Site and allows the Zaproxy user to force all requests to
+		particular Site and allows the ZAP user to force all requests to
 		be on a particular session. Basically, it allows the user to easily
 		switch between user sessions on a Site and to create a new Session
 		without "destroying" the existing ones.</p>
+
+	<p>
+		The tool is only intended for manual testing and should not be used in automation -
+		there are much better alternatives.
+		If you are new to ZAP automation then the best place to start is the ZAP 
+		<a href="https://www.zaproxy.org/docs/authentication/">Authentication Decision Tree</a> (external link).
 
 	<p>
 		It is based on the concept of Session Tokens, which are HTTP message
 		parameters (for now only Cookies) which allow an HTTP server to
 		connect a request message with any previous requests or data stored.
-		In the case of Zaproxy, conceptually, session tokens have been
+		In the case of ZAP, conceptually, session tokens have been
 		classified into 2 categories: default session tokens and site session
 		tokens. The default session tokens are the ones that the user can set
 		in the <a href="../../ui/dialogs/options/httpsessions.html">Options

addOns/help/src/main/javahelp/contents/start/pentest.html

@@ -49,7 +49,7 @@ <H2>See also</H2>
 <H2>External Links</H2>
 <table>
 <tr><td>&nbsp;&nbsp;&nbsp;&nbsp;</td><td>
-https://www.owasp.org/wstg</td>
+<a href="https://www.owasp.org/wstg">https://www.owasp.org/wstg</a></td>
 <td> OWASP Testing Guide</td></tr>
 </table>
 

addOns/help/src/main/javahelp/contents/start/proxies.html

@@ -9,7 +9,10 @@
 <BODY>
 <H1>Configuring Proxies</H1>
 <p>
-You will need to configure your browser to use ZAP as a proxy.<br>
+The best way to use a browser with ZAP is to launch it from ZAP. 
+It will then be automatically configured to proxy through ZAP and to ignore certificate warnings.
+<p>
+If for any reason you are unable or unwilling to do that then you will need to configure your browser to use ZAP as a proxy.<br>
 By default, ZAP uses an Address of 'localhost' and a Port of '8080', but these can be changed via the Options > Network > Local Servers/Proxies screen.
 
 Instructions for the latest versions of the most commonly used browsers: 

addOns/help/src/main/javahelp/contents/ui/tlmenu/edit.html

@@ -37,7 +37,7 @@ <H4>Previous Result</H4>
 <a href="../tabs/response.html">Response</a> tab as appropriate.
 
 <H3>Enable / Disable Forced User Mode</H3>
-This switches forced user mode on and off.<br/>
+This switches <a href="../../start/features/authentication.html#forceduser">Forced User Mode</a> on and off.<br/>
 The menu item is only enabled when you have defined a forced user for at least one 
 <a href="../../start/features/contexts.html">context</a>, which can be done via the 
 <a href="../dialogs/session/contexts.html">Session Contexts</a> dialog.