Back to guides

GUIDE / manual

How to Write Test Cases for a Login Page (with Examples)

Write test cases for a login page with positive, negative, security, and lockout examples, plus a reusable template and practical QA checklist.

By The Testing AcademyPublished July 9, 2026Updated July 9, 202618 min read

Login packs authentication, session creation, validation messaging, lockouts, and recovery into one small screen. Test cases for a login page must cover more than valid credentials: user enumeration, open redirects, broken sessions, and authorization entry after a successful sign-in.

This guide gives you a complete way to design test cases for a login page: requirements questions, scenario map, positive and negative examples, security and accessibility checks, a reusable table, common mistakes, and a prioritization model. Use it for web apps, admin portals, and SaaS products where email and password login is still core.

Why Login Page Testing Deserves Extra Care

Login failures block users completely. Login defects also create security incidents. That combination makes login high risk even when the UI looks simple.

Typical risks:

  • Valid users cannot enter the product.
  • Invalid users can enter the product.
  • Attackers learn which emails are registered.
  • Sessions persist after logout.
  • Lockout logic is missing or locks the wrong accounts.
  • Redirects send users to unsafe destinations.
  • Error messages leak stack traces or internal IDs.
  • Mobile and desktop validation behave differently.

Because login is reused constantly, one defect multiplies across every release. Treat it as a product capability, not a form demo.

Clarify Requirements Before Writing Test Cases for Login Page Flows

Before you write cases, extract rules. If documentation is incomplete, list assumptions and get confirmation.

Functional questions

  • Which identifiers are allowed: email, username, phone, all of them?
  • Is password case sensitive?
  • Is login rate limited?
  • What happens after success: dashboard, last visited page, role home?
  • Is "remember me" supported, and for how long?
  • Is MFA required for all users or only some roles?
  • Are social login and SSO in scope for this page?
  • Can users with unverified email log in?
  • Are inactive, suspended, or deleted accounts handled differently?

Security questions

  • Are error messages generic for wrong password and unknown user?
  • Is account lockout temporary or admin controlled?
  • Are cookies Secure, HttpOnly, and SameSite configured as required?
  • Is HTTPS enforced?
  • Are open redirects blocked on return URL parameters?
  • Is captcha triggered after repeated failures?

UX and accessibility questions

  • Can users complete login by keyboard only?
  • Are field labels and errors announced for assistive tech?
  • Are password show/hide controls accessible?
  • Do validation messages appear inline, on submit, or both?

Write these answers into a short rules sheet. Your test cases should map to those rules, not to guesswork. For broader case writing technique, use the foundation guide on how to write test cases.

Scenario Map for a Login Page

Convert requirements into scenarios first. Scenarios become cases later.

Core authentication scenarios

  • Valid credentials login.
  • Invalid password.
  • Unknown account identifier.
  • Blank identifier.
  • Blank password.
  • Both fields blank.
  • Invalid identifier format.
  • Leading or trailing spaces in email or username.
  • Copy-pasted password with hidden characters.
  • Case variation in email if policy ignores case.
  • Case variation in password if policy is case sensitive.

Account state scenarios

  • Active verified user.
  • Unverified email user.
  • Locked user.
  • Suspended user.
  • Password expired user.
  • User forced to reset password on next login.
  • Deleted or deactivated user.

Session and navigation scenarios

  • Redirect to default home after login.
  • Redirect to deep link after login.
  • Reject malicious redirect targets.
  • Refresh after login keeps session.
  • Logout clears session.
  • Back button after logout does not show protected content.
  • Concurrent login from second device if policy defines it.

Optional feature scenarios

  • Remember me enabled.
  • Remember me disabled.
  • MFA challenge success.
  • MFA challenge failure.
  • SSO entry and return.
  • Social login success and cancel.
  • Captcha after N failures.
  • Language or locale specific validation messages.

Non-functional scenarios

  • Keyboard-only login.
  • Screen reader accessible labels and errors.
  • Slow network submit behavior.
  • Double submit of login button.
  • SQL injection style input.
  • Script tags in identifier field.

This map is intentionally broader than a beginner list. You will prioritize later.

Test Case Template for Login

Use a consistent format so reviewers can scan coverage quickly.

Test Case ID:
Title:
Requirement Reference:
Priority:
Type: Positive | Negative | Boundary | Security | Accessibility | Regression
Preconditions:
Test Data:
Steps:
  1.
  2.
  3.
Expected Result:
Actual Result:
Status:
Notes:

Compact table form for suite design:

FieldExample
IDTC-LOGIN-001
TitleVerify successful login with valid email and password
PriorityHigh
PreconditionsActive user exists, user is logged out
Databuyer@example.com / ValidPass#2026
ExpectedDashboard loads, authenticated session created

Test Cases for a Login Page: Core Functional Coverage

Positive cases

IDTitlePreconditionsTest dataExpected resultPriority
TC-LOGIN-001Valid email and password loginActive verified user, logged outValid email, valid passwordUser is authenticated and lands on default homeHigh
TC-LOGIN-002Valid username login if supportedActive user with usernameValid username, valid passwordLogin succeeds using username identifierHigh
TC-LOGIN-003Redirect to original deep linkUser tried to open /orders while logged outValid credentials, return URL /ordersAfter login, user lands on /ordersHigh
TC-LOGIN-004Role-based landing pageAdmin user existsAdmin credentialsAdmin lands on admin home, not buyer homeHigh
TC-LOGIN-005Login after successful password resetPassword just resetNew passwordLogin succeeds with new password onlyHigh
TC-LOGIN-006Remember me keeps session per policyRemember me enabled in requirementsValid credentials, remember me onSession persists for configured durationMedium

Validation and negative cases

IDTitleSteps summaryExpected resultPriority
TC-LOGIN-010Submit with blank emailLeave email empty, enter password, submitEmail required message, no authenticationHigh
TC-LOGIN-011Submit with blank passwordEnter email, leave password empty, submitPassword required message, no authenticationHigh
TC-LOGIN-012Submit with both fields blankSubmit empty formRequired field messages, no request successHigh
TC-LOGIN-013Invalid email formatEnter user@, enter password, submitFormat validation, authentication not attempted or safely rejectedMedium
TC-LOGIN-014Wrong passwordValid email, wrong passwordGeneric invalid credentials message, no sessionHigh
TC-LOGIN-015Unknown emailUnregistered email, any passwordSame generic failure behavior as wrong password if policy requiresHigh
TC-LOGIN-016Inactive accountInactive user credentialsAccess denied with approved message, no sessionHigh
TC-LOGIN-017Locked accountLocked user credentialsLockout message or generic denial per policyHigh
TC-LOGIN-018Unverified email login policyUnverified userEither blocked with verify prompt or allowed, matching requirementHigh
TC-LOGIN-019Leading/trailing spaces in emailbuyer@example.comTrimmed acceptance or explicit validation, consistentlyMedium
TC-LOGIN-020Password with leading space characterPassword that includes intentional spaces if allowedBehavior matches password policy exactlyMedium

Detailed worked example: wrong password

Test Case ID: TC-LOGIN-014
Title: Verify wrong password is rejected with safe messaging
Requirement Reference: AUTH-LOGIN-AC3
Priority: High
Type: Negative / Security
Preconditions:
  - Account buyer@example.com exists and is active
  - Account is not locked
  - User is logged out
Test Data:
  - Email: buyer@example.com
  - Password: WrongPass#000
Steps:
  1. Open the login page over HTTPS.
  2. Enter buyer@example.com in the email field.
  3. Enter WrongPass#000 in the password field.
  4. Submit the form.
  5. Attempt to open a protected URL directly.
Expected Result:
  - Login fails.
  - A generic invalid credentials message is shown.
  - Message does not state that the email exists.
  - No authenticated session cookie or token is issued.
  - Protected URL redirects back to login.
  - Failed attempt counter increases if lockout is enabled.

This level of expected result detail is what separates useful cases from vague "check invalid login" notes.

Boundary and Data-Oriented Login Cases

Login fields still have boundaries. Use ideas from boundary value analysis and equivalence partitioning.

Examples:

  • Email local part at maximum accepted length.
  • Email longer than maximum accepted length.
  • Password at minimum length.
  • Password one character below minimum if validated client-side.
  • Password at maximum length.
  • Password above maximum length.
  • Unicode characters in email local part if product claims support.
  • Very long password paste that could break UI or API payload limits.
  • Empty unicode whitespace only values.
IDTitleData ideaExpected
TC-LOGIN-030Min length password login if policy allowsPassword exactly min length and validSuccess if password meets all rules
TC-LOGIN-031Below min length passwordPassword length min-1Validation error, no auth
TC-LOGIN-032Max length passwordPassword exactly max lengthSuccess or accepted processing
TC-LOGIN-033Over max length passwordPassword max+1Validation error or safe server rejection
TC-LOGIN-034Extremely long email string500+ char email-like stringNo crash, clear validation or 4xx handling

Security Test Cases for Login Page

Security cases are mandatory for login, even in functional suites.

Messaging and enumeration

  • Wrong password and unknown user produce indistinguishable responses if policy requires anti-enumeration.
  • Response timing should not obviously differ in a way product security forbids. Perfect timing equality is hard, but gross differences may be in scope for security review.
  • Error text never includes stack traces, SQL errors, or user database IDs.

Brute force and lockout

IDTitleExpected
TC-LOGIN-040Five failed attempts lock account if policy is fiveAccount locked after threshold
TC-LOGIN-041Attempt during lockout windowLogin blocked even with correct password
TC-LOGIN-042Lockout expires after configured timeLogin works again after expiry if temporary
TC-LOGIN-043Captcha appears after thresholdCaptcha required before further attempts
TC-LOGIN-044Lockout is per account not global IP only if requiredOther users can still log in

Document exact thresholds from requirements. Do not invent "five attempts" if product uses three or ten.

  • After login, session token exists with required flags.
  • After logout, session token is invalidated server-side.
  • Old session token cannot access APIs after logout.
  • Password change invalidates other sessions if required.
  • Login over HTTP redirects to HTTPS if HTTPS is required.

Injection and abuse inputs

Examples of inputs to attempt in identifier or password fields:
- ' OR '1'='1
- admin'--
- <script>alert(1)</script>
- ../../etc/passwd
- extremely long repeated characters

Expected result for these is safe rejection or harmless storage, no authentication bypass, no script execution in admin or logs rendering contexts you own, and no server crash.

Open redirect

If login supports ?next= or ?returnUrl=:

  • Allow internal paths such as /dashboard.
  • Reject external targets such as https://evil.example.
  • Reject protocol-relative tricks and encoded bypass attempts according to security rules.
IDTitleReturn URLExpected
TC-LOGIN-050Safe internal redirect/settings/profileLands on profile after login
TC-LOGIN-051External redirect blockedhttps://evil.exampleIgnored or blocked, safe fallback home
TC-LOGIN-052Encoded external redirect blockedURL-encoded external targetStill blocked

MFA, SSO, and Social Login Cases

If your login page includes these, do not stop at password cases.

MFA

  • Valid password then valid MFA code succeeds.
  • Valid password then invalid MFA code fails and does not create full session.
  • MFA code reuse behavior matches policy.
  • MFA timeout expires correctly.
  • Recovery code path works and is rate limited.
  • User cannot skip MFA by browsing directly to a protected route mid-challenge.

SSO

  • SSO button sends user to identity provider.
  • Successful IdP login returns linked app session.
  • User cancels at IdP and returns safely.
  • Unlinked enterprise account is handled with clear messaging.
  • Clock skew or assertion errors show safe failure.

Social login

  • First-time social login creates or links account per policy.
  • Existing linked account signs in.
  • Denied permission on provider side fails gracefully.
  • Email conflict with existing password account follows merge policy.

These often need separate high priority suites because failures are common around account linking.

UX, Accessibility, and Reliability Cases

UX

  • Password mask is on by default.
  • Show password toggle works and is easy to discover.
  • Caps lock warning appears if product supports it.
  • Field focus order is logical: identifier, password, submit.
  • Enter key submits when focus is in password field.
  • Double clicking submit does not create duplicate sessions or confusing errors.

Accessibility

  • Every input has an accessible name.
  • Error messages are associated with fields.
  • Focus moves to first error or a summary according to design system.
  • Color is not the only error signal.
  • Keyboard user can reach show password and submit controls.

Reliability

  • Slow network: button shows pending state and avoids silent failure.
  • API 500: user sees recoverable error, not a blank page.
  • Offline: clear failure state.
  • Browser autofill still allows successful submit.

Session Lifecycle Cases After Login

Login testing is incomplete without post-login session checks.

  1. Login success creates access to protected pages.
  2. Browser refresh keeps user logged in while session is valid.
  3. Logout removes access.
  4. Back button after logout does not display cached private data in a usable authenticated state.
  5. Session timeout forces re-authentication.
  6. Concurrent session rules are enforced if product limits devices.

Example:

Title: Verify protected page is inaccessible after logout
Steps:
  1. Log in with valid credentials.
  2. Open /account/billing.
  3. Confirm billing content is visible.
  4. Log out.
  5. Use browser back or paste /account/billing.
Expected:
  - User must authenticate again.
  - Billing data is not shown as an authenticated view.

Prioritizing Login Test Cases

You rarely execute every possible case on every build. Prioritize.

PriorityInclude
P0 SmokeValid login, invalid credentials, logout session clear, HTTPS page load
P1 ReleaseValidation, lockout, redirect safety, role landing, unverified/locked states
P2 DeepBoundaries, remember me matrix, accessibility depth, social edge cases
P3 ExploratoryWeird unicode, unusual browsers, rare SSO failures

For CI, automate P0 and many P1 cases with stable test users. Keep destructive lockout tests carefully isolated so they do not lock shared accounts.

Test Data Setup for Login Suites

Stable login testing needs dedicated accounts:

AccountPurpose
active.buyer@example.comHappy path
active.admin@example.comRole redirect
locked.user@example.comLockout state
unverified.user@example.comVerification policy
expired.password@example.comForced reset
mfa.user@example.comMFA flow

Rules:

  • Do not share passwords across all environments without a vault pattern.
  • Reset lockout state in test setup or use disposable users.
  • Never rely on production user data.
  • Document whether email casing is normalized.

Common Mistakes When Writing Test Cases for Login Page Coverage

Mistake 1: Only testing happy path and one wrong password

Teams ship lockout bugs, redirect bugs, and session bugs because the suite stops at two cases.

Mistake 2: Expected result is "error message shown"

Which message? Does a session still get created? Can the user hit APIs anyway? Specify security-relevant outcomes.

Mistake 3: Ignoring account states

Active, locked, suspended, unverified, deleted, and password-expired users often take different code paths.

Mistake 4: Using one shared tester account for everything

One person locks the account, everyone is blocked, and results become noise.

Mistake 5: Forgetting logout and timeout

Login success with broken logout is still a serious defect.

Mistake 6: Not checking generic messaging policy

Product may require identical responses for unknown user and wrong password. If your case expects "user not found," you may be encoding a security bug as a requirement.

Mistake 7: Skipping mobile and password manager behavior

Autofill, iOS Safari quirks, and mobile keyboard flows break login more often than desktop Chrome demos suggest.

Mistake 8: Writing steps that depend on current button copy only

Prefer resilient intent: "Submit the login form" plus important labels. Update cases when UX changes, but avoid brittle essays.

Sample Mini Suite You Can Copy

Use this as a starter pack and extend with product-specific rules.

  1. TC-LOGIN-001 Valid login.
  2. TC-LOGIN-010 Blank email.
  3. TC-LOGIN-011 Blank password.
  4. TC-LOGIN-014 Wrong password.
  5. TC-LOGIN-015 Unknown user safe messaging.
  6. TC-LOGIN-016 Inactive account.
  7. TC-LOGIN-003 Deep link redirect.
  8. TC-LOGIN-051 External redirect blocked.
  9. TC-LOGIN-040 Lockout threshold.
  10. TC-LOGIN-060 Logout clears session.
  11. TC-LOGIN-061 Timeout requires re-login.
  12. TC-LOGIN-070 Keyboard-only login success.

Twelve cases will not finish a bank-grade auth system, but they already beat "test login works."

Turning Failed Login Cases Into Defects

When a case fails, write a defect with evidence: browser, account state, request status if visible, screenshots, and whether session tokens appeared. Weak bug reports slow auth fixes. Use the structure from how to write a bug report.

Bad bug title:

Login issue

Better bug title:

Active user remains authenticated on /billing after logout when using browser back

Include expected security result, not only UI text.

Automation Notes for Login Tests

Good automation candidates:

  • Valid login and assert protected page marker.
  • Invalid credentials and assert no protected content.
  • Validation messages for required fields.
  • Redirect allowlist checks with internal return URLs.
  • Logout session invalidation via UI plus API probe.

Handle carefully:

  • Lockout tests: use dedicated users and cleanup.
  • MFA: use test secrets or bypass hooks in non-prod only.
  • Captcha: test hooks, never break production captcha.

Avoid hard coding production credentials in repositories.

Example assertion mindset in plain language:

After invalid login:
- URL remains on login or approved error state
- Protected resource request returns unauthorized
- No auth cookie present, or cookie is unauthenticated

UI assertion alone is not enough if APIs still accept an accidental token.

Regression Strategy Around Login Changes

Any change to auth libraries, cookie policy, MFA, SSO, or session store should trigger login regression. Minimum set:

  • Valid login.
  • Invalid login.
  • Logout.
  • Session timeout if changed.
  • Redirect rules if changed.
  • One account state failure path.
  • One role-based landing check.

If a production auth incident happens, add a permanent regression case with the incident ID in traceability.

Practice Exercise

Open a practice application or a QABattle challenge that includes authentication behavior. In 30 minutes:

  1. Write 10 login scenarios.
  2. Convert 5 into fully detailed cases with data and expected results.
  3. Mark security-sensitive expectations explicitly.
  4. Identify 3 automation candidates.
  5. List 3 open requirement questions.

Then compare with a peer. Gaps usually appear in account states, redirects, and session invalidation. For hands-on repetition, use QABattle sign-up and run manual track battles that force you to document cases under time pressure.

Login Test Case Review Checklist

Before you call the suite done:

  • Positive authentication is covered.
  • Required field validation is covered.
  • Invalid credentials are covered.
  • Unknown user messaging matches security policy.
  • Account states are covered or explicitly out of scope.
  • Lockout or rate limit rules are covered if present.
  • Redirect safety is covered if return URLs exist.
  • Session creation, logout, and timeout are covered.
  • MFA/SSO paths are covered if offered on the page.
  • Accessibility smoke checks exist for the form.
  • Test data accounts are stable and documented.
  • Priority labels match business risk.
  • Cases link to requirements or risks.

Login rarely stands alone. After this suite, extend into:

  • Registration and first-time login.
  • Forgot password and reset token expiry.
  • Change password while logged in.
  • Profile email change re-verification.
  • OAuth token refresh for API clients.

Registration overlaps many validation lessons. Continue with test cases for a registration form when you want the create-account side of authentication.

Conclusion

Strong test cases for a login page work do more than prove a green sign-in button. They verify identity rules, safe failure behavior, session lifecycle, redirects, account states, and the security promises users never see until something breaks. Start from requirements and risks, map scenarios, write precise expected results, and prioritize ruthlessly for smoke, release, and deep regression.

If you keep only one habit from this guide, keep this one: every login case should state what the user sees and what authenticated power the system grants or denies. That dual expectation is how login testing protects both usability and security.

FAQ

Questions testers ask

How many test cases are needed for a login page?

A solid login suite often has 15-40 cases depending on features like SSO, MFA, lockout, remember me, and social login. Cover valid login, validation, invalid credentials, state rules, security, accessibility basics, and session behavior. Prioritize by risk rather than chasing an arbitrary count.

What are the most important positive test cases for login?

The highest value positive cases are successful login with valid credentials, correct redirect to the intended destination, session creation, role-based landing pages, and successful login after password reset. If MFA or SSO exists, include happy paths for those as well.

What negative test cases should I write for login?

Include blank fields, invalid email format, wrong password, unknown user, inactive or locked account, expired password if applicable, SQL or script injection attempts in inputs, and repeated failed attempts. Negative cases should verify safe messages and blocked access, not only error text.

Should login error messages say whether the email exists?

Usually no. Generic messages such as invalid email or password reduce user enumeration risk. Confirm with security and product requirements. Your test cases should verify the approved messaging policy, including identical responses for unknown users and wrong passwords when that is the rule.

How do I test remember me and session timeout on login?

For remember me, verify cookie or token lifetime, survival across browser restart if required, and secure attributes. For timeout, authenticate, idle past the limit, then attempt a protected action and confirm re-authentication is required without exposing protected data.

Can login test cases be automated?

Yes. Stable happy path, validation, invalid credential, lockout setup with controlled test users, and redirect checks are strong automation candidates. Keep captcha, pure visual polish, and highly dynamic anti-bot challenges as manual or specialized checks unless you have test hooks.