A Login page is more than just a place for users to access their account. It is a critical page to adhere to security, privacy, and even personalization best practices. This page is always a strong point of focus when conducting software testing or web testing. If you are trying to test your login page and don’t know where to start, read on and discover 100 test cases for Login Page that you can use for references.   
 

In this article, we will list out the most common and essential test cases for the Login page and categorize them in groups. We also include a test case template for you to get started more quickly.   
 

Read More: A Complete Web Testing Checklist

1. Positive Login Page Test Cases

Positive test cases are test cases that follow the “happy path” i.e. testing if the Login page functions as expected under valid inputs. These test cases explore scenarios where users do what they are supposed to do, such as:

1. Valid username and password combination successfully logs the user in.
2. Testing with the minimum allowed username and password length.
3. Testing with a username and password containing alphanumeric characters.
4. Successful login with the "Remember Me" option selected.
5. Testing login with a username that contains both uppercase and lowercase characters.
6. Successful login using a valid email address as the username.
7. Successful login using a valid phone number as the username.
8. Successful login with multi-factor authentication (MFA) enabled.
9. Testing login with a username that includes special characters (e.g., @, #, $).
10. Successful login using social media accounts (if applicable).
11. Successful login using biometric authentication (e.g., fingerprint, face recognition).
12. Testing login after a password reset to ensure the new password works.
13. Successful login after an account recovery process.
14. Successful login with localization settings (testing with different languages).
15. Testing login with different browsers (e.g., Chrome, Firefox, Edge).

Write All Those Tests Faster & Better With Katalon Studio

2. Negative Login Page Test Cases

In contrast, negative testing for the Login page aims to explore scenarios that deviate from that “happy path”. Users don’t always do what we want them to do. Sometimes they do unexpected things, and a good tester understands that unpredictability to test accordingly. Some common negative test cases you should test on your Login page include:

1. ​​Entering an incorrect password for a valid username.
2. Entering an incorrect username for a valid password.
3. Entering an empty username field.
4. Entering an empty password field.
5. Entering a username that does not exist in the system.
6. Entering a password that does not meet password strength requirements.
7. Testing login with excessive length usernames and passwords.
8. Testing login with incorrect case (uppercase/lowercase) in the username.
9. Testing login with expired or deactivated user accounts.
10. Testing login with suspended user accounts.
11. Multiple consecutive failed login attempts triggering an account lockout.
12. Testing login after the session has expired due to inactivity.
13. Testing login with incorrect multi-factor authentication (MFA) codes.
14. Entering invalid characters (e.g., scripts) in the username or password fields.
15. Testing login with CAPTCHA validation failure.

With negative testing, you have to be creative. The more complex your login and authentication process is, the more test cases you will need to perform. Put yourself in the shoes of a user who has never interacted with the system before. Be a person that makes mistakes all the time and simply think of all the “bad” possibilities that can happen in your system, or specifically your Login page.

3. Performance Test Cases For Login Page

Performance testing checks if the Login page can handle various levels of traffic and user visits. While all websites should have good loading speed and can handle large volumes of traffic to this page, certain types of websites should pay more attention to its performance than others, especially websites that receive a massive amount of traffic.  
 

For example, eCommerce websites rely quite heavily on strong performance. Slow loading time on the Login page means lost revenue. Similarly, public services and financial institutions expected to be up and running 24/7 must also ensure that their system can withstand sudden spikes in traffic. 

Educational institutions usually don’t also experience large volumes of traffic to the Login page during the school year, but in enrollment seasons, it skyrockets, and performance testing here provides data to make informed decisions on web resource optimization.

Here are some performance test cases for Login page:

1. Measure and document the average load time for the login page.
2. Conduct load testing to determine the maximum concurrent user logins the system can handle.
3. Evaluate the login page's response time during peak usage hours.
4. Monitor server resource utilization (CPU, memory, bandwidth) during login attempts.
5. Test the login page's performance on various browsers and devices.
6. Test the login page's performance with slow internet connections.
7. Measure the time it takes to recover from a failed login attempt.
8. Evaluate the login page's performance when the system database is under heavy load.
9. Test the login page's performance during distributed denial of service (DDoS) attacks.
10. Evaluate the system's ability to handle high volumes of simultaneous login attempts.
11. Measure the impact of login rate limiting on performance.
12. Conduct performance testing with different authentication methods (e.g., password, MFA).
13. Test the login page's performance with a large number of inactive user accounts.
14. Evaluate the impact of CAPTCHA validation on login page performance.
15. Measure the time it takes for a user to receive an authentication code (MFA) if applicable.

Read More: Performance Testing vs Load Testing

4. Security Test Cases For Login Page

The Login page is considered to be the first layer of security for many systems. Its role is primarily for access control and user authentication. Through this page, developers can have a better control of what data users get to access.   
 

For example, in membership sites, the Login page can be the “gate” separating subscribers and non-subscribers. Team members have a separate Login page where they can type in their credentials to access the system’s backend. That’s why security testing for the Login page is especially important.

Usually security testing are performed in-house, but sometimes an external security testing team can also be requested to come in and launch an authorized attack on the system to identify vulnerabilities, which is usually known as penetration testing.
 

Below are 15 popular security test cases for the Login page:

1. Test for SQL injection vulnerabilities by attempting to inject SQL code into username and password fields.
2. Test for Cross-Site Scripting (XSS) vulnerabilities by entering script tags in the login fields.
3. Verify that the login page uses HTTPS to encrypt data transmission.
4. Test for session fixation vulnerabilities by attempting to hijack a user's session.
5. Verify that user passwords are securely hashed and salted in the database.
6. Test for clickjacking vulnerabilities by attempting to overlay the login page with malicious content.
7. Check for brute force attack protection mechanisms (account lockout, rate limiting).
8. Verify that the login page does not reveal whether a username exists in the system.
9. Test for user enumeration vulnerabilities by attempting to determine if a username exists.
10. Verify that session tokens and cookies are securely generated and stored.
11. Test the security of password reset and account recovery processes.
12. Evaluate the login page's resistance to DDoS attacks.
13. Test for insecure password policies (e.g., weak password requirements).
14. Verify that error messages do not provide too much information about the failure (e.g., "Invalid username" instead of "Invalid username and password").
15. Evaluate the system's compliance with relevant security standards (e.g., OWASP Top Ten).

5. How to test SQL Injection on Login Page

SQL Injection is when malicious SQL code is inserted into input fields or data inputs of a web application to destroy your database. This is one of the most common web hacking techniques currently, although it has been around for more than 2 decades.  
 

Suppose there is a login page for a website that checks the entered username and password against a database of user credentials using SQL queries. The login page URL is: “https://example.com/login”.  
 

Backend code that does not properly validate user inputs will be highly vulnerable to such attacks.. Here's a simplified representation of the vulnerable code written in Python using SQL:  
 

username = get_user_input()  # Simulated user input
password = get_user_input()  # Simulated user input
# Constructing the SQL query
query = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"
 

In the code snippet above, there are 2 vulnerabilities:

1. The username and password variables are obtained from user input fields on the login form without any further validation.
2. The SQL query is constructed by concatenating user inputs directly into the query string. This means that an attacker can manipulate the input fields to inject malicious SQL code.

An attacker can exploit those vulnerabilities to bypass the login and potentially gain unauthorized access to the system in 2 steps::

1. In the username field, the attacker enters a valid username (e.g., "user").
2. In the password field, the attacker enters the following input: ' OR '1'='1

The constructed SQL query would look like this:  
 

SELECT * FROM users WHERE username='user' AND password='' OR '1'='1'
 

In SQL, '1'='1' is always true, so this modified query effectively bypasses the password check. The application retrieves all records where the username is 'user' and where '1' is equal to '1', which will match all rows.  
 

The attacker successfully logs in without knowing the correct password because the SQL query always evaluates to true. After that, depending on the application's functionality and the attacker's goals, they can manipulate or extract sensitive data from the database. The impact can be irreversible.   
 

Read More: What is Database Testing?  
 

Here are several SQL injection test cases you can try on your Login page:  
 

1. 1=1 quotes: In the username and password fields, try entering single quotes (' or '1=1) to see if the application is vulnerable to SQL Injection. The '1=1' part is a common SQL Injection payload that often returns true, effectively bypassing the login.
2. Union-Based SQL Injection: In the username or password field, try using a UNION SELECT statement to see if you can extract data from the database. For example, you might enter something like ' UNION SELECT username, password FROM users--.
3. Error-Based SQL Injection: Try entering input that you know will trigger an SQL error. For instance, ' OR 1=1; -- should be handled gracefully without revealing database error messages. If the application displays detailed SQL errors, it might be vulnerable.
4. Time-Based Blind SQL Injection: Test for blind SQL Injection by using time-based payloads. For example, ' OR IF(1=1, SLEEP(5), 0); --. If the login delay is noticeable when this payload is used, it may indicate a blind SQL Injection vulnerability.
5. Input Encoding: Attempt to bypass input validation by encoding SQL Injection payloads. For example, try URL encoding, HTML encoding, or double URL encoding of payloads.
6. Consult OWASP: Refer to the OWASP (Open Web Application Security Project) guidelines and testing methodologies for comprehensive SQL Injection testing strategies.

6. Gmail Login Page Test Cases

Test cases for Gmail Login page is similar to any other types of Login page:

1. Verify that the Gmail login page is accessible from the Gmail homepage.
2. Test login with valid Gmail account credentials.
3. Test login with an incorrect Gmail account password.
4. Test login with an incorrect Gmail account username/email.
5. Test login with a Gmail account that has two-factor authentication (2FA) enabled.
6. Verify that the "Stay signed in" option works as expected on Gmail's login page.
7. Test the "Forgot password?" link for password recovery functionality.
8. Test login using Google's "Sign in with Google" option (if available).
9. Verify that the Gmail login page supports multiple languages.
10. Test the login page's responsiveness on various devices (desktop, mobile, tablet).
11. Check for security features like CAPTCHA or anti-bot mechanisms.
12. Test the Gmail login page's performance during peak usage times.
13. Verify that session management on Gmail's login page is secure.
14. Test the login page's behavior when JavaScript is disabled.
15. Test the behavior of the "Create account" link for new Gmail account registration.

Read More: 100 Test Cases For Registration Page

7. Test Cases For Login Page on Mobile Application

Here we venture towards the domain of mobile testing, which comes with their own unique challenges. For one, these devices have a wide range of models, screen resolutions, as well as mobile-only technologies that testers need to take into account. Here are several login page test cases for mobile apps in particular:

1. Test the login page's layout and elements on different mobile devices (e.g., phones, tablets).
2. Verify that the mobile app's login page supports both portrait and landscape orientations.
3. Test login with valid credentials on the mobile app's login page.
4. Test login with incorrect credentials on the mobile app's login page.
5. Test login with special characters and symbols in the username and password fields.
6. Test the "Forgot password?" functionality on the mobile app's login page.
7. Verify that the mobile app's login page is responsive to various screen sizes.
8. Test the behavior of the "Remember Me" option on the mobile app's login page.
9. Test the behavior of the "Stay signed in" option on the mobile app's login page.
10. Test login with multi-factor authentication (MFA) on the mobile app's login page.
11. Verify that the mobile app's login page integrates with the device's biometric authentication (e.g., fingerprint, face recognition).
12. Test the performance of the mobile app's login page on different mobile networks (3G, 4G, Wi-Fi).
13. Test the mobile app's login page with different versions of the mobile operating system (e.g., Android, iOS).
14. Verify that the mobile app's login page functions correctly when the device is in airplane mode.
15. Test the behavior of the mobile app's login page when the device has limited storage space.

Read More:  Top API Test Cases You Should Test

8. BDD Test Cases For Login Page

BDD testing is just an approach where testers write test cases in simple language (usually Gherkin) that even people without technical expertise can understand. Usually a BDD test case is structured in 3 statements:  
 

• The Given statement sets up the initial context for the behavior and defines the starting point of the system.
• The When statement describes the trigger that brings about a change or behavior in the system.
• The Then statement defines the expected outcome that should be observed after the event mentioned in the When statement.

Here are 15 test cases for Login page written in Gherkin format:

Test Case 1: Successful Login

Given a valid username and password,

When I attempt to log in,

Then I should be successfully logged into the system.  
 

Test Case 2: Invalid Password

Given an invalid password for a valid username,

When I attempt to log in,

Then I should see an error message indicating the incorrect password.  
 

Test Case 3: Empty Username Field

Given an empty username field,

When I attempt to log in,

Then I should see an error message indicating the username field is required.  
 

Test Case 4: Empty Password Field

Given an empty password field,

When I attempt to log in,

Then I should see an error message indicating the password field is required.  
 

Test Case 5: Username with Special Characters

Given a username with special characters,

When I attempt to log in,

Then I should successfully log in.  
 

Test Case 6: Locked Account

Given a locked account due to multiple failed login attempts,

When I attempt to log in,

Then I should see an error message indicating that my account is locked.  
 

Test Case 7: Remember Me Option

Given a valid username and password with "Remember Me" selected,

When I log in,

Then I should remain logged in across sessions.  
 

Test Case 8: Multi-Factor Authentication (MFA)

Given a valid username and password with multi-factor authentication (MFA) enabled,

When I log in,

Then I should be prompted to enter an authentication code.  
 

Test Case 9: Password Reset Request

Given a password reset request,

When I follow the password reset process,

Then I should be able to set a new password.  
 

Test Case 10: Account Recovery Request

Given an account recovery request,

When I follow the account recovery process,

Then I should be able to regain access to my account.  
 

Free Test Case Template To Download

To best write your test cases, you should always have a test case template, which we have prepared in PDF, Doc, and Excel sheet formats for you to download. Simply hit the button below and start noting down your test cases right away.   
 

PDF | Doc | Excel  

Or Simply Manage All of Your Test Cases With Katalon TestOps

How To Automate and Improve Your Testing For Login Page With Katalon Platform

Login page testing is not incredibly complex, but it is highly repetitive by nature. It is always a crucial page, and frequent regression testing for it is a must. Automating test cases on Login page is a great strategy, but writing test scripts from scratch then continuously maintaining them after each code change is actually quite counterproductive.

With Katalon Platform, you can easily create, manage, execute, maintain, and generate report for your test cases and test projects all in 1 place, without having to install or switch to any additional tech.   
 

For example, you can use its Record-and-Playback feature to easily capture what you are doing on the Login page, and Katalon turns it into a full test script that you can just execute whenever you want. With just a few seconds, you have successfully automated your testing for the Login page. 

As you will see in the video here, all you have to do is clicking on the “Make an Appoitment” button, and Katalon will register your action, turn it into code, which is executed (aka Playback) when you click “Run”:

Even if changes occur on this page, Katalon will intelligently and automatically fix the outdated test script by updating the locators of on-screen elements based on the changes it detected thanks to its Self-healing features. Combining all of that with the industry-leading AI-powered testing features, you have a comprehensive software quality management platform that is highly scalable and innovative.

Start Testing With Katalon For Free