A Comprehensive Guide to Writing Test Cases for Login Page

What is the first screen you see when you start interacting with a software product? Right, it is its login page. But this page is not only a user’s entry path to the solution. It is also the product’s first line of defense against unauthorized access and credentials theft. That is why the fast and secure login process is mission-critical for solutions of all kinds, which can be ensured during their software development through out-and-out testing.

And software testing of any kind (including this one) is performed via the utilization of comprehensive test cases (aka test scenarios). What is the first screen you see when you start interacting with a software product? Right, it is its login page. But this page is not only a user’s entry path to the solution. It is also the product’s first line of defense against unauthorized access and credentials theft.

That is why the fast and secure login process is mission-critical for solutions of all kinds, which can be ensured during their software development through out-and-out testing. And software testing of any kind (including this one) is performed via the utilization of comprehensive test cases (aka test scenarios).

This article explains what a test scenario for Login page is, enumerates login page components that should undergo a testing process, and helps QA teams write test case for Login page by showcasing their types and tools useful in automation test cases for Login pages, giving practical tips on how to write test scenarios for Login page, and specifying the procedure of generating test cases using Testomat.io.

First, let’s clarify what a test case is. In QA, test cases are thoroughly defined and documented checking procedures that aim to ensure a software product’s function or feature works according to expectations and requirements. It contains detailed instructions concerning the testing preconditions, objectives, input data, steps, and both expected and actual results. Such a roadmap enables conducting a structured, repeatable, and effective checking routine that helps identify and eliminate defects.

The same is true for login page test cases that are honed to validate a solution’s login functionality, covering such aspects as UI behavior, valid/invalid login attempts, password requirements, error handling, security strength, etc. The ultimate goal of software testing test cases for Login page is to guarantee a swift and safe sign-in process across different devices and environments, which contributes to the overall seamless user experience of an application. When preparing to write test cases for Login page, you should have a clear vision of what you are going to test.

No matter whether you build a Magento e-store, a gaming mobile app, or a digital wallet, their login pages contain basically identical elements.

User name. As a variation, this item may be extended by the phone number or email address. In short, any valid credentials of a user are entered here.
Password. This field should mask (and unmask on demand) the user’s password.
Two-factor authentication. This is an optional element present on the login pages of software products with extra-high security requirements. As a rule, this second verification step involves sending a one-time password to the user via email or SMS.
“Submit” button. If the above-mentioned details are correct, it initiates the authentication process, thus confirming it.
“Remember me” checkbox. It is called to streamline future logins by retaining the user’s credentials.
“Forgot Password” link. If someone forgets their password, this functionality allows them to reset it.
Social login buttons. Thanks to these Login page functions, a user can sign in via social media (like Facebook or LinkedIn) or third-party services (for instance, a Google account).
Bot protection box. Also known as CAPTCHA, the box verifies the user as a human and rules out automated login attempts.

Naturally, test scenarios for Login page should cover all those components with a series of comprehensive checkups.

Let’s divide them into categories.

They are divided into positive and negative test cases for Login page. The difference between them lies in the data they use and the objectives they pursue. Positive test cases for Login page operate expected data and focus on confirming the page’s functionalities. Negative test cases for Login page rely on unexpected data to expose vulnerabilities.

Each positive test scenario example for Login page in this class aims to validate the page’s ability to authenticate users properly and direct users to the dashboard. Positive test cases include.

Successful login with valid credentials (not only the actual name but also email address or phone number).
Login with the enabled multi-factor and/or biometric authentication.
Login with uppercase or lowercase in the username and password (aka case sensitivity test). The login should be permitted only when the expected case is present in the input fields.
Login with a valid username and a case-insensitive password.
Successful login with a remembered username and password.
Login with the minimum/required length of the username and password.
Successful login with a password containing special characters.
Login after password reset and/or account recovery.
Login with the “Remember Me” option.
Valid login using a social media account.
Login with localization settings (for example, different languages).
Simultaneous login attempts from multiple devices.
Login with different browsers (Firefox, Chrome, Edge).

Negative functional test cases for a login page presuppose denial of further entry and displaying an error message. The most common negative scenarios are:

Login with invalid credentials (incorrect username plus valid password, valid username plus incorrect password, or both invalid user input data).
Login without credentials (empty username and/or password fields).
Login with an incorrect case (lower or upper) in the username field.
Login with incorrect multi-factor authentication codes sent to users.
Login with expired, deactivated, suspended, or locked (after multiple failed login attempts) accounts.
Login with a password that doesn’t meet strength requirements.
Login with excessively long passwords or usernames (aka edge cases).
Login after the session has expired (because of the user’s inactivity).

While functional tests focus on the technical aspects of login pages in web or mobile applications, non-functional testing centers around user experience, ensuring the page is secure, efficient, responsive, and reliable. This category encompasses two basic types of test cases.

Security test cases

The overarching goal of security testing is to guarantee the safety of the login page. The sample test cases for Login page’s security are as follows:

Verify the page uses HTTPS to encrypt data transmission in transit and at rest.
Check automatic logout after inactivity (timeout functionality).
Enter JavaScript code in the login fields (cross-site scripting (XSS)).
Test for weak password requirements.
Attempt to hijack a user’s session to identify session fixation vulnerabilities.
Ensure the page doesn’t reveal whether a username exists in the system.
Secure hashing and salting of passwords in the database.
Attempt to overlay the page with malicious content (the so-called clickjacking).
Ensure secure generation and storage of session management tokens and cookies.
Test the security of account recovery and password reset procedures.
Assess SQL injection vulnerabilities (see details below in a special section).
Check the page’s resistance to DDoS attacks.
Gauge the system’s compliance with industry-specific and general security regulations.

Usability test cases

The purpose of each sample test case for Login page of this class is to ensure the landing page has superb user experience parameters (design intuitiveness, accessibility, visibility, responsiveness, cross-browser compatibility, localization, and others).

Verify the visibility of design elements (username and password fields, login button, “Forgot Password” link, “Remember Password” checkbox, etc.) and error messages for failed login attempts.
Check that all buttons have identical placement and spacing on different devices.
Ensure clear instructions and accessible options enabling users to easily find the registration page.
Test the page’s response time on devices with different screen sizes.
Verify the font size adjustment for each screen size.
Test the UI’s responsiveness to landscape/portrait transitions when the device’s orientation changes.
Check the page’s efficient operation across various browsers.
Make sure the page is accessible for visually and kinetically disadvantaged users.
Verify the page’s operation across different regions, time zones, and languages.

Conventionally, manual test cases for Login page rely on test scripts written in a specific programming language. What if you lack specialists in any of them? BDD (behavior-driven development) tests are just what the doctor ordered.

A typical BDD test case example for Login page consists of three statements following a Given-When-Then pattern. The Given statement defines the system’s starting point and establishes the context for the behavior.

The When statement contains the factor triggering a change in the system’s behavior. The Then statement describes the outcome expected after the event in the previous statement occurs. Here are some typical functional BDD test cases for the Login page.

Testing successful login
Given a valid username and password,
When I log in,
Then I should be allowed to log into the system.
Testing username with special characters
Given a username with special characters,
When I log in,
Then I should successfully log in. 
Testing an invalid password with a valid username
Given an invalid password for a valid username,
When I log in,
Then I should see an error message indicating the incorrect password
Testing empty username field
Given an empty username field,
When I log in,
Then I should see an error message indicating the username field is required.
Testing multi-factor authentication
Given a valid username and password with multi-factor authentication enabled,
When I log in,
Then I should see a message prompting to enter an authentication code.
Testing locked account
Given a locked account due to multiple failed login attempts,
When I log in,
Then I should see an error message indicating that my account is locked.
Testing the Remember Me option
Given a valid username and password with "Remember Me" selected,
When I log in,
Then I should remain logged in across sessions.
Testing password reset request
Given a password reset request,
When I follow the password reset process,
Then I should be able to enter a new password.
Testing account recovery request
Given an account recovery request,
When I follow the account recovery process,
Then I should be able to regain access to my account.

In some aspects, UI testing is related to usability checks, but there is a crucial difference. While usability test cases are called to ensure UX of the login page, UI test cases verify that its graphical elements (buttons, icons, menus, text fields, and more) appear correctly, are consistent across multiple devices and platforms, and function according to expectations. Here are some UI test cases for Login page examples.

Check the presence of all input fields on the page.
Verify the input fields accept valid credentials.
Ensure the system rejects login attempts after reaching a stipulated limit and displays a corresponding message.
Verify that the system displays an error message when a login is attempted with empty username and/or password fields and invalid username and/or password.
Confirm that the “Remember Password” checkbox selection results in saving credentials for future sessions.
Ensure the password isn’t compromised when using the “Remember Password” option.
Validate the presence and functionality of the “Forgot Password” link.
Confirm users receive instructions on how to reset their password.
Test the procedure of receiving and verifying the email to reset the password.
Check the system’s response when a user enters an invalid email to reset the password.
Ensure users get confirmation messages after resetting their passwords.
Validate the visibility of all buttons and input fields on the Login page.
Verify the page displays content correctly and functions properly when accessed through different browsers and their versions.
Ensure uniform styling across browsers by validating CSS compatibility.

Performance testing is a pivotal procedure for guaranteeing the smooth operation of the login page. The most common performance test cases for Login page include:

Gauge the time under normal and peak load conditions the login page needs to respond to user inputs.
Assess the number of successful logins within a specified time frame.
Check how the page handles certain amounts of simultaneous logins.
Check the system’s stability (memory leaks, performance degradation, etc.) during continuous usage over an extended period.
Simulate various scenarios of the network conditions to assess the page’s latency.
Track system resource utilization during login operations.

For the first Login page functionality, the test cases are:

Verify the presence of CAPTCHA on the page.
Confirm CAPTCHA appears after a definite number of failed login attempts.
Check the ability of the CAPTCHA image refreshment.
Ensure a reasonable timeout for the CAPTCHA to avoid its expiration.
Check the login prevention for invalid CAPTCHA.
Validate CAPTCHA alternative options (text or audio).

Test cases for cookies include:

Verify the setting of a cookie after successful login.
Check the cookie’s validity across multiple browsers until its expiry.
Ensure the cookie deletes after logout or session expiry.
Verify the cookie’s secure encryption.
Validate that expired/invalid cookies forbid access to authenticated pages and redirect the user to Login page.

Since the Google account is the principal access point for many users, it is vital to ensure a smooth entry into an application via the Gmail login page. The tests undertaken here are similar to other test cases described above.

Verify login with a valid/invalid Gmail ID and password.
Check “Forgot email” and “Forgot password” links.
Validate the operation of the “Next” button when entering the email.
Ensure masking of the password.
Ensure account lockout after multiple failed attempts.
Confirm “Remember me” functionality.
Validate login failure after clearing browser cookies.
Verify the support of multiple languages on the Gmail login page.
Evaluate the Gmail login page during peak usage.
Ensure the security of session management on the Gmail login page.

SQL injection attacks are the most serious security threat to IT solutions. How can you protect your login page from them?

SQL attacks boil down to entering untrusted data containing SQL code into username and/or password fields. What is the procedure that can help you repel such attacks?

Identify username and password input fields.
Test them by entering commonplace injection payloads (admin’ #, ‘ OR ‘a’=’a, ‘ OR ‘1’=’1′ –, ‘ AND 1=1 –).
Try to insert more advanced UNION-based and time-based blind SQL injections like ‘ UNION SELECT null, username, password FROM users –.
Check whether a single or double quote in either field triggers an error.
Verify whether database error messages are shown after payloads are submitted.
Check whether a SQL injection provides unauthorized access.
Verify the system account’s lockout after multiple failed logins.
Confirm the system rejects malicious or invalid inputs.

When writing and implementing test cases for Login page, it is vital to follow useful recommendations by experienced QA experts.

We offer practical tips that will help you maximize the value of test cases in this domain.

Test cases should be straightforward and descriptive

Test cases should be understandable to the personnel who will carry them out. Simple language, consistent vocabulary, and logical steps are crucial for the test case’s success. Plus, all expectations you have concerning the test case implementation and outcomes should be clearly described in the Preconditions section.

Both positive and negative scenarios should be included

You should verify not only what must happen but also take measures against what mustn’t. By adopting both perspectives, you will boost the system’s reliability manifold.

The login page is the primary target for cybercriminals, as it grants access to the website’s or app’s content. That is why SQL injection, weak password, and brute-force attempt threats should be included in test cases in the first place. Equally vital are session expiration, token storage, and error message sanitization checks.

Device diversity is mission-critical

A broad range of gadgets, screen sizes, browsers (and their versions), and operating systems is the reality of the current user base. Your Login page test cases should take this variegated technical landscape into account and ensure the page works well for everyone and everything.

Automation reigns supreme

Given the huge number of Login page aspects to be checked and verified, their manual testing is extremely time- and effort-consuming. Consequently, test automation in this niche is non-negotiable. What platforms can become a good crutch in such efforts?

Each of the tools we recommend has its unique strengths.

Testomat.io

Testomat.io is a fantastic tool for creating and managing test cases, especially for critical pages like login forms. With Testomat, you can quickly set up organized test suites, add detailed test cases for scenarios like valid/invalid credentials, and track results in real time. It streamlines the testing process, making it easier to ensure your login functionality works flawlessly across different conditions.

Appium

This open-source framework is geared toward mobile app (both iOS and Android) testing automation. However, it can also be used for writing test cases for hybrid and web apps. Its major forte is test case creation without modifying the apps’ code.

BrowserStack Test Management

This subscription-based unified platform excels at manual and automated test case creation that can be essentially streamlined and facilitated thanks to intuitive dashboards, quick test case import from other tools, integration with test management solutions (namely Jira), and the leveraging of AI for test case building.

Testomat.io is a comprehensive software test automation tool that enables conducting exhaustive checks of all types. To create and manage test for login page with Testomat.io follow this guide:

To get started, create a dedicated suite for “Login Functionality” or “Authentication.” Then, add test cases for various login scenarios, such as valid credentials, invalid username or password, empty fields, and more.
For valid credentials, check if the user successfully logs in and is redirected to the home page. For invalid credentials, ensure an error message appears. Test empty fields by verifying that validation messages prompt the user to fill in the necessary fields. If there’s a “Remember Me” option, test it by verifying that the user is automatically logged in or their credentials are pre-filled after reopening the browser.

Lastly, test the “Forgot Password” link to confirm it redirects users to the password reset page. Testomat.io streamlines managing and tracking these scenarios, making your testing process more efficient.

Frequently asked questions

What are the essential components to include when writing test cases for a login page?

When writing test cases for a login page, it’s important to include several key components. First, a unique Test Case IDshould be assigned to each test case to distinguish it. The Test Case Title should clearly describe the scenario being tested, such as “Testing valid login with correct credentials.” It’s also essential to define Preconditions, which describe any requirements that must be met before executing the test, like the user being registered. The Test Steps outline the actions the tester needs to take, such as entering the username, password, and clicking the login button. After that, the Expected Result should describe the anticipated outcome of the test, such as the user successfully logging into the system. Once the test is executed, the Actual Result can be recorded, and the test’s Status (Pass or Fail) will be based on whether the actual result aligns with the expected one. Finally, if necessary, Postconditions should be included to show the state of the system after the test.

How can I test for security issues in the login page, like brute-force protection and password strength?

To test security issues on the login page, various scenarios should be considered. For brute-force protection, a test case should check if the system locks the account or shows a CAPTCHA after multiple failed login attempts. The tester can simulate this by repeatedly entering incorrect credentials, and the system should respond by preventing further attempts or requiring additional verification. Another area to test is password strength enforcement. This involves testing whether the system enforces password complexity, such as rejecting simple passwords like “12345” and requiring a mix of uppercase letters, special characters, and numbers. Finally, session security should be tested to ensure that once a user logs out, their session is properly terminated. A test can be conducted by logging in, then logging out, and attempting to access the system through the URL without being prompted to log in again. If the system is secure, it should redirect the user to the login page, preventing access to any logged-in pages.

How do I write test cases for different login scenarios, such as invalid username, invalid password, and empty fields?

Writing test cases for different login scenarios is crucial to ensure all edge cases are covered. For invalid usernames, a test case should check if the system displays an appropriate error message when an incorrect username is entered while the password remains valid. This test will help ensure the system doesn’t allow access for non-existent usernames. Similarly, for invalid passwords, a test case should verify that entering a valid username but an incorrect password prompts the system to show an error message indicating that the password is wrong. It’s also essential to test for empty fields by leaving the username or password blank and submitting the login form. The system should not accept empty inputs and should display a message indicating that both fields are required. Lastly, for a successful login, a test case should confirm that entering the correct username and password allows access to the system and redirects the user to the appropriate page, ensuring the system behaves as expected in normal conditions.