Total Validator
HTML5 / XHTML / WCAG / Section 508 / CSS / Links / Spelling

Introduction

Many websites restrict access to parts of their site to authorised users. So Total Validator needs to be authenticated in order to validate these parts of websites. The old method of doing this is to use HTTP Authentication, in which case the options on the Authentication tab can be used for authentication.

A more modern approach is to use a 'login form', where the user enters an id and password and the server sends back a session cookie to say that user has been authenticated.

Total Validator supports two ways of authenticating using login forms. The easiest is to login through your browser and use one of our extensions to start the validation. Alternatively, you can enter the login details into the Pro version so that it logs in whilst validating. In both cases you must skip any log off and delete links and set any other form related options in the Pro version.

top

Using a browser extension

This is by far the easiest way to work with login forms, and should work with almost every type there is.

In Chrome or Firefox log into the site. Your browser should now hold a session cookie containing a reference to your login session.

You can now use one of our browser extensions to start the validation. The browser extension will pass the session cookie to Total Validator Pro so that it will have access to the secure pages of the website. But you still need ensure that you configure Total Validator to skip any log off and delete links, and set any other form related options.

top

Using the Pro version

If you are using Total Validator Pro without a browser extension then the Forms tab can be used to detect and log into the login form whilst validating the website. When a form is found that matches the Action URL, Total Validator will effectively click the appropriate Submit button sending any hidden or default form parameters together with any parameters that you've explicitly specified (typically your id and password).

If successful the web server will normally return the first secure page and set a session cookie in Total Validator. It can then follow all the links on this page, validating all the secure pages in the usual way. (Note that this assumes that you have entered Pages and include options to allow this to happen.)

Note that you must skip any log off and delete links and set any other form related options in the Pro version.

top

Log off and delete links

It is very common to add a link to every page behind the login page, which logs you off when clicked. Because Total Validator may follow these links it will be logged off. Any subsequent pages that are validated will either show as failed links or just be the logon page itself. So the number of pages validated will be very short and this problem easy to spot. Sometimes you will also see errors complaining about links that redirect to themselves when this happens.

You may also have links on your pages that delete or otherwise destroy resources. A common example is to display a list of documents in a table with a column of links to delete each document, or even a 'delete all' link. In this case Total Validator will faithfully follow each link deleting all of the documents. Note that it is good programming practice to replace all such links with submit buttons instead, although this may not always be possible.

You can solve this issue by telling Total Validator to skip these log off and delete links using the Exclude option.

top

Related options

Most login forms uses cookies to store details about the login session. So you must ensure that Total Validator Pro is set to accept cookies (the default setting will do this), and if you are using a browser extension you must have the 'Send cookies to Pro application' option selected (again this is the default option).

With single sign-on systems such as SAML, you log in on one site and end up at another. Total Validator Pro has been tested with a number of SAML based systems including Shibboleth and Athens. But there are many caveats, so please see our dedicated SAML page for more information on how to configure for SAML.

Finally, remember that Total Validator does not execute any javascript, so the login form must not rely on javascript for activation.

top

Example forms

We have provided an example form which illustrates how you would normally configure Total Validator to work with a login form.

top