--- title: "Scan Beyond Login" slug: "scan-beyond-login-1" updated: 2026-04-15T19:51:28Z published: 2026-04-15T19:51:28Z canonical: "docs.bigid.com/scan-beyond-login-1" stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.bigid.com/llms.txt > Use this file to discover all available pages before exploring further. # Scan Beyond Login > [!NOTE] > In Short > > **Enable:**Scan Beyond Login enables the BigID scanner to discover cookies and trackers on web pages that require authentication. When enabled, the scanner automatically logs into your website before scanning — providing full visibility into authenticated sections of your site. > > **Access**: Cookies & Trackers > select a Domain > Scanner > Configure Scanner ## **Overview** Standard cookie scanners stop at the login page, missing all trackers that only appear after authentication. Over 90% of RFPs request scanning beyond login because critical data-privacy risks are often hidden behind authentication walls. Scan Beyond Login solves this by replaying a recorded login script before each scan, giving you a complete, accurate view of all trackers across your site — including authenticated pages. ## **How It Works** At scan time, BigID: 1. Loads your recorded Selenium IDE script (.side file). 2. Replaces the {username} and {password} placeholders with your stored, encrypted credentials. 3. Runs ChromeDriver headlessly to complete the login flow. 4. Scans all authenticated pages and surfaces discovered cookies and trackers in your BigID Privacy dashboard. ## **Feature Flag Requirement** The Scan Beyond Login toggle is only visible when the scanBeyondLogin permission is enabled at both the company (tenant) level and the user-role level. | **Note:** Without the tenant flag, the entire Scan Beyond Login section is hidden — no error is shown. If a customer reports the toggle is missing, always check the tenant permission first. Once enabled at the tenant level, assign the scanBeyondLogin permission to the relevant user role. | | --- | ## **Prerequisites** Before configuring Scan Beyond Login, ensure you have: - The Selenium IDE browser extension installed (Firefox recommended). - Valid login credentials for the website you want to scan. - Access to BigID Privacy with the scanBeyondLogin permission enabled for your tenant and role. ## **Step 1 — Record Your Login Flow** Use Selenium IDE to record the steps your browser takes to log in to the target website. 1. Open Selenium IDE from your browser toolbar. 2. Click **"Record a new test in a new project"** and give the project any name. 3. Enter your website's base URL — for example, https://www.mysite.com. 4. Click **"Start Recording"** — a new browser window opens. 5. Navigate to the login page and fill in the form: - In the email or username field, type your real login email. - In the password field, type your real password. - Click the login button. 6. Once logged in, return to Selenium IDE and click **"Stop Recording"**. ## **Step 2 — Save and Verify the .side File** Save the recorded test. Selenium IDE produces a .side file (for example, login-flow.side). Open this file in a text editor and confirm it follows the structure below. | **Tip** The value fields for your username and password commands **must** contain {username} and {password} — not your real credentials. If you see actual email addresses or passwords in these fields, replace them before uploading. | | --- | A correctly formatted .side file looks like this: | { "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "version": "2.0", "name": "login-flow", "url": "https://www.mysite.com", "tests": [{ "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "login", "commands": [ { "command": "open", "target": "/login", "value": "" }, { "command": "type", "target": "name=email", "value": "{username}" }, { "command": "type", "target": "name=password", "value": "{password}" }, { "command": "click", "target": "css=button[type='submit']", "value": "" } ] }], "suites": [{ "name": "Default Suite", "tests": ["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"] }], "urls": ["https://www.mysite.com/"], "plugins": [] } | | --- | ### **Credential Placeholders** BigID performs a case-insensitive find-and-replace on every type command's value field at scan time: | **Placeholder** | **Replaced with at scan time** | | --- | --- | | {username} | The value stored in the User field | | {password} | The value stored in the Password field | ## **Step 3 — Enable and Configure in BigID Privacy** Once you have a verified .side file, configure the feature in the platform: 1. Navigate to your site in BigID Privacy and open the **Scanner** tab. 2. Click **Actions → Configure Scanner**. 3. Toggle **Scan beyond login** on. 4. Upload the .side file saved in Step 2. 5. Enter your real credentials in the **User** and **Password** fields. 6. Click **Save**. | **Note:** Configuration is per site. Each site stores its own script, username, and password independently. Switching sites in the platform loads that site's specific configuration. | | --- | ## **Verifying the Result** After saving and triggering a scan, confirm Scan Beyond Login is active: - Go to the **Scanner** widget on the site overview page. - The **Scan beyond login** row should display **Active**. - Authenticated pages now appear in your scan results alongside public pages. ## **Troubleshooting** | **Symptom** | **Likely Cause** | **Action** | | --- | --- | --- | | Toggle not visible | scanBeyondLogin tenant flag not enabled | Enable the company permission for the tenant | | Toggle visible but greyed out | User missing the role permission | Assign scanBeyondLogin to the user's role | | Scanner cannot log in | Script has hardcoded credentials | Edit the .side JSON — replace credential values with {username} / {password} | | Scanner cannot log in | Credential fields are empty | Fill in the User and Password fields in the platform | | Scanner cannot log in | Login selectors are outdated (site UI changed) | Re-record the login script in Selenium IDE | | Save button stays disabled | Toggle is on but no .side file uploaded | Upload a .side file first |