How to test password-protected websites
Silktide can test websites protected by a username and password. The approach used depends on the nature of the password protection.
HTTP authentication is a common but basic form of user authentication. If a website is using HTTP authentication, loading it in Chrome will show a popup like this:
If your website uses HTTP authentication then Silktide will detect this automatically and ask you for the username and password automatically when you first add the website.
If you were not prompted, or if you need to update your HTTP authentication settings, view the website overview page for the report that needs authentication to access the website. Select the Settings button in the top-right corner to load the website settings screen. From here the URL of the website will be the first field on the form, to the right of the field is a button labelled Go. Select the Go button for the URL to be checked. If HTTP authentication is required for that page, then a prompt will appear for the login details to be input. Don’t forget to Save once the changes have been made.
Other types of authentication
Currently logging in to sites in this way requires a custom setup by one of our developers. The nature of this depends on the complexity of your login.
You’ll need to let us know the web address of your login page, and login details for a test account. We use these to confirm our technology can log in and see pages behind that login.
How we test logged in areas
This section is technical and is designed for people who work on the website you are looking to test.
- Login is programmed as a series of manual steps, similar to Selenium. For example: click a field, enter a value, and submit a form.
- Parts of your page are referenced via CSS selector (e.g. input[name=login]), so a predictable CSS selector must exist for your login to work.
- Although we support some conditional logic, non-linear logins are generally not feasible, e.g. “enter the nth digit of your password”, CAPCHAs, etc.
- Your authentication state (the browser’s cookies and local storage) is gathered immediately after logging in, stored, and shared between all of our workers as they download your site.
- We can customize the number of workers, there are 6 by default, and they alternate between desktop and mobile devices.
- Silktide adds a conditional check that a user is logged in (e.g. confirming their name appears in the corner of the screen), this is usually a text match or a CSS selector.
- We use this check to detect when we need to re-authenticate, potentially during a crawl, or sometime later when a user asks to re-test a page on your site.
What can cause problems?
Nearly all well-behaved websites that use web standards correctly will just work. Unfortunately, older and proprietary login systems do not always behave this way.
- If some links are not idempotent – i.e. visiting a page has side effects – we may need to exclude them. The most common example is if a link logs out the user; more serious examples would include links that create or delete data. For this reason, you should only ever test with a dummy login account.
- Some logged-in pages use entirely temporary URLs, which exist only for the moment they are first requested (e.g. they contain a unique session ID and/or encrypted application state). Although we can sometimes still test these, they are much more difficult to set up and some parts of Silktide are incompatible with them (e.g. you can’t view the history for a page, as no page exists more than once).
All of your details are encrypted via SSL and stored behind multiple levels of security. However, you should be aware of the following:
- To test your pages we need to store your login details (e.g. username and password) that you gave us – i.e. we can’t just store a non-reversible hash.
- We store the contents of the pages that we download so they can be tested, and viewed within our platform.
Therefore you should ensure that the login details you give us, and the pages that this login provides access to, are not sensitive in nature. We strongly recommend the use of a dummy account for this purpose.