Documentation > Login forms
Many websites restrict parts of their site, and Total Validator needs to be authenticated to test these pages. The original way of doing this is was to use HTTP Authentication, and the Network options are available to facilitate this.
A more modern approach is to use a 'login form', where the user enters an id and password or other identifying information into the form, and the server sets a session cookie to say that user has been authenticated, and can then visit the restricted pages.
Total Validator supports two ways of authenticating using login forms. The easiest is to login through your browser and use one of our browser extensions to start testing. Alternatively, you can enter the login details directly into the Pro version. In both cases you must skip any log off and delete links and set any other form related options.
Using a browser extension
This is by far the easiest way to work with login forms, and should work with almost every type there is.
In your browser, log into the site. Your browser should now hold a session cookie allowing access to the restricted pages. Then use one of our browser extensions to start testing.
The browser extension will pass the session cookie to Total Validator so that it can test the restricted pages of the website. But you still need ensure that you configure it to skip any log off and delete links, and set any other form related options.
Using just the Pro version
If you are using Total Validator Pro without a browser extension then the Forms options can be used to log into the website. When a form is found that matches the Action URL, Total Validator will effectively click the appropriate Submit button sending any hidden or default form parameters together with any parameters that you've explicitly specified (typically your id and password).
If successful, the web server will normally return the first secure page and set a session cookie in Total Validator. It can then follow all the links on this page, testing the restricted pages in the usual way.
Note that you must skip any log off and delete links and set any other form related options.
Log off and delete links
It is very common to add a link to every restricted page, which logs you off when followed. Because Total Validator may test and follow these links, it will be logged off. Any restricted pages that are then tested will either show as failed links or just be the page containing the login form. The number of pages tested will then be very short and this problem easy to spot. Sometimes you will also see errors complaining about links that redirect to themselves.
There may also be links on pages that delete or otherwise destroy resources. A common example is to display a list of documents in a table with a column of links to delete each document, or even a 'delete all' link. In this case Total Validator will faithfully follow each link deleting all the documents. Note that it is good programming practice to replace all such links with submit buttons instead, although this may not always be possible.
You can solve these issues by telling Total Validator to skip these log off and delete links using the Exclude option.
Related options
Most login forms use cookies to store details about the login session, so you must ensure that Total Validator is set to accept cookies (the default setting Server
will do this).
With single sign-on systems such as SAML, you log in on one site and end up at another. Total Validator Pro has been tested with several SAML based systems including Shibboleth and Athens. But there are many caveats, so please see our dedicated SAML topic for more information on how to configure for SAML.
Finally, remember that Total Validator does not execute any JavaScript, so the login form must not rely on javascript for activation.
Example forms
We have provided an example form which illustrates how you would normally configure Total Validator to work with a login form. We advise anyone attempting to use login forms to first practice with this form to avoid many common problems.