ASM JSON login page

You have a very strange application to protect.

So you are saying that application has Page 1 where user enters username only and clicks login button - this generate a JSON request which contains only one parameter: "username" to the server after which the user is navigating to Page where only the Password is required and then again a JSON request is sent next to the server with only one parameter "password"???

How is the session state maintained between Page 1 and Page 2? there must be something ( a cookie, a token a header) sent back by the server in response to Page 1 request which would help the server to link the JSON data blurb with just username with bare Page 2 with just password.

You can try defining 2 x AJAX page URLs with username & password being the same parameter name (you can't leave the password field blank).

Can you provide examples of full HTTP requests and responses? (Page 1 request/response and Page 2 request/response) for a successful (and unsuccessful) login?

Those are the 2 Post responses:

1 ) Params:

2) Params:

What links the requests is the cookie and the captcha token but as it can be seen the first request only contains the user and the second one contains the user and the password.