The Katalon Blog

100 Test Cases For Login Page (With Template + Detailed Guide)

Written by Katalon Team | Sep 18, 2023 7:20:00 AM

A Login page is more than just the entry point to a user account—it’s a key area for security, privacy, and personalization. It’s also one of the most important screens to validate during software testing or web testing. If you’re unsure where to start, here are 100 Login Page test cases you can use as references.

This article covers the most common and essential login test cases, grouped by category. A test case template is also included to help you get started quickly.

Read More: A Complete Web Testing Checklist

1. Positive Login Page Test Cases

Positive test cases verify that the Login page behaves correctly with valid inputs. Common scenarios include:

  1. Valid username and password successfully log the user in.
  2. Login using minimum allowed username and password length.
  3. Login using alphanumeric credentials.
  4. Successful login with “Remember Me” selected.
  5. Login with mixed-case username.
  6. Login using a valid email as the username.
  7. Login using a valid phone number as the username.
  8. Successful login with multi-factor authentication (MFA).
  9. Login with special characters in the username (e.g., @, #, $).
  10. Login using social media accounts (if supported).
  11. Login using biometric authentication.
  12. Login after password reset using the new password.
  13. Login after completing account recovery.
  14. Login with different localization/language settings.
  15. Login across different browsers (Chrome, Firefox, Edge, etc.).

2. Negative Login Page Test Cases

Negative test cases check how the Login page handles invalid or unexpected input. Common scenarios include:

  1. Incorrect password for a valid username.
  2. Incorrect username for a valid password.
  3. Empty username field.
  4. Empty password field.
  5. Username not found in the system.
  6. Password not meeting strength requirements.
  7. Excessively long usernames or passwords.
  8. Incorrect case used in username.
  9. Expired or deactivated account.
  10. Suspended account.
  11. Multiple failed attempts triggering lockout.
  12. Login after session timeout.
  13. Incorrect MFA code.
  14. Invalid characters or script injection in fields.
  15. Failed CAPTCHA validation.

3. Performance Test Cases for Login Page

Performance testing checks whether the Login page can handle different levels of traffic. This matters especially for high-traffic sites like ecommerce, financial services, public services, or institutions with seasonal spikes (e.g., school enrollment).

Key performance test cases include:

  1. Measure average login page load time.
  2. Load testing for max concurrent user logins.
  3. Measure response time during peak hours.
  4. Monitor server resource usage (CPU, RAM, bandwidth) during logins.
  5. Test performance across browsers and devices.
  6. Test performance on slow network connections.
  7. Measure recovery time after failed login attempts.
  8. Test performance when database is under heavy load.
  9. Test during simulated DDoS attacks.
  10. Test handling of high volumes of simultaneous login attempts.
  11. Measure impact of rate limiting.
  12. Test with different authentication methods (password, MFA).
  13. Test with large numbers of inactive accounts.
  14. Measure CAPTCHA impact on performance.
  15. Measure MFA code delivery time.

Read More: Performance Testing vs Load Testing

4. Security Test Cases for Login Page

The Login page is the first security barrier for most systems, controlling access and protecting user data. Security testing verifies that vulnerabilities are closed—either through in-house checks or authorized penetration testing.

Essential security test cases include:

  1. Test for SQL injection via username and password fields.
  2. Test for XSS using script injections.
  3. Verify HTTPS is enforced.
  4. Test for session fixation vulnerabilities.
  5. Verify passwords are hashed and salted.
  6. Test for clickjacking attacks.
  7. Check brute-force protection (lockout, rate limiting).
  8. Verify login page does not reveal username validity.
  9. Test for user enumeration attempts.
  10. Verify that session tokens and cookies are securely generated and stored.
  11. Test the security of password reset and account recovery processes.
  12. Evaluate the login page’s resistance to DDoS attacks.
  13. Test for insecure password policies (e.g., weak password requirements).
  14. Verify that error messages do not reveal unnecessary information (e.g., “Invalid username or password” instead of specifying which one failed).
  15. Evaluate the system’s compliance with relevant security standards such as OWASP Top Ten.

5. How to Test SQL Injection on a Login Page

SQL Injection occurs when malicious SQL code is inserted into a web application’s input fields to manipulate or damage the database. It remains one of the most common web hacking techniques, even decades after its discovery.

Suppose you have a login page at https://example.com/login. If the backend doesn’t properly sanitize user input, the system becomes an easy target for SQL Injection. Here’s a simple example of vulnerable Python code:

Python — Vulnerable Login Logic 
username = get_user_input()
password = get_user_input()

# Vulnerable SQL query
query = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"

print(query)

This approach has two critical issues:

  • The username and password fields are used without any validation or sanitization.
  • The SQL query is assembled by directly concatenating user-supplied data.

Because of this, an attacker can bypass authentication with just two inputs:

  1. Enter a valid username (e.g., user).
  2. Enter the following payload in the password field:

 

SQL Injection Payload 
# Attacker inputs:

username: user
password: ' OR '1'='1

# Resulting SQL query:

SELECT * FROM users 
WHERE username='user' 
  AND password='' OR '1'='1';

The resulting query executed by the database becomes:

SQL 
SELECT * 
FROM users 
WHERE username='user' 
  AND password='' 
  OR '1'='1'; 

6. Gmail Login Page Test Cases

Test cases for the Gmail Login page are similar to any other Login page:

  1. Verify that the Gmail login page is accessible from the Gmail homepage.
  2. Test login with valid Gmail account credentials.
  3. Test login with an incorrect Gmail account password.
  4. Test login with an incorrect Gmail account username/email.
  5. Test login with a Gmail account that has two-factor authentication (2FA) enabled.
  6. Verify that the “Stay signed in” option works as expected.
  7. Test the “Forgot password?” link for password recovery functionality.
  8. Test login using Google’s “Sign in with Google” option (if applicable).
  9. Verify that the Gmail login page supports multiple languages.
  10. Test responsiveness across devices (desktop, mobile, tablet).
  11. Check for security features such as CAPTCHA or anti-bot protection.
  12. Test Gmail login performance during peak usage times.
  13. Verify secure session management after login.
  14. Test the login page’s behavior when JavaScript is disabled.
  15. Verify the behavior of the “Create account” link for new Gmail registrations.

Read More: 100 Test Cases For Registration Page

7. Test Cases For Login Page on Mobile Application

Here we enter the domain of mobile testing, which comes with its own unique challenges. Devices vary widely in model, resolution, and mobile-specific behavior. Here are several login page test cases tailored for mobile apps:

  1. Test the login page layout across different mobile devices (phones, tablets).
  2. Verify support for both portrait and landscape orientations.
  3. Test login with valid credentials.
  4. Test login with invalid credentials.
  5. Test login with special characters in username and password fields.
  6. Test the “Forgot password?” functionality.
  7. Verify responsiveness across various mobile screen sizes.
  8. Test the “Remember Me” option.
  9. Test the “Stay signed in” option.
  10. Test login with multi-factor authentication (MFA).
  11. Verify integration with device biometrics (fingerprint, face ID).
  12. Test performance under different network types (3G, 4G, Wi-Fi).
  13. Test compatibility across OS versions (Android, iOS).
  14. Verify login behavior when the device is in airplane mode.
  15. Test login behavior when the device has low or limited storage.

Read More: Top API Test Cases You Should Test

8. BDD Test Cases For Login Page

BDD testing is an approach where test cases are written in simple language—usually Gherkin—so even non-technical team members can understand them. A typical BDD test uses three statements:

  • Given — sets the starting context or initial state.
  • When — describes the action or trigger.
  • Then — defines the expected outcome.

Here are 15 Login Page test cases written in Gherkin format:

Test Case 1: Successful Login

Given a valid username and password,

When I attempt to log in,

Then I should be successfully logged into the system.

Test Case 2: Invalid Password

Given an invalid password for a valid username,

When I attempt to log in,

Then I should see an error message indicating the incorrect password.

Test Case 3: Empty Username Field

Given an empty username field,

When I attempt to log in,

Then I should see an error message indicating the username field is required.

Test Case 4: Empty Password Field

Given an empty password field,

When I attempt to log in,

Then I should see an error message indicating the password field is required.

Test Case 5: Username with Special Characters

Given a username with special characters,

When I attempt to log in,

Then I should successfully log in.

Test Case 6: Locked Account

Given a locked account due to multiple failed login attempts,

When I attempt to log in,

Then I should see an account-locked error message.

Test Case 7: Remember Me Option

Given valid credentials with “Remember Me” selected,

When I log in,

Then I should remain logged in across sessions.

Test Case 8: Multi-Factor Authentication (MFA)

Given valid credentials with MFA enabled,

When I log in,

Then I should be prompted to enter an authentication code.

Test Case 9: Password Reset Request

Given a password reset request,

When I follow the reset process,

Then I should be able to set a new password.

Test Case 10: Account Recovery Request

Given an account recovery request,

When I follow the recovery steps,

Then I should regain access to my account.

Free Test Case Template To Download

To write effective test cases, it helps to start with a test case template. We've prepared PDF, Doc, and Excel versions for easy download. Choose your preferred format below and begin documenting your test cases instantly.

PDF | Doc | Excel

Or Manage All Test Cases in Katalon TestOps

How To Automate and Improve Your Testing For Login Page With Katalon Platform

Login page testing isn’t overly complex, but it is highly repetitive. Because it’s a critical user entry point, frequent regression testing is essential. While automation is a smart strategy, building scripts from scratch and updating them after every UI change often becomes inefficient.

With Katalon Platform, you can create, manage, run, maintain, and report on all your tests in a single place, no additional tools required.

For example, the Record-and-Playback feature lets you interact with the Login page while Katalon automatically generates a complete test script. Within seconds, you have a reusable automated test.

As shown in the video below, simply click the “Make an Appointment” button and Katalon will capture the action, convert it into code, and execute it when you hit “Run”:

Even when the Login page changes, Katalon updates outdated locators automatically using its Self-healing features. Combined with its AI-powered testing capabilities, the platform provides a comprehensive, scalable, and modern approach to software quality management.

Start Testing With Katalon (Free)
View full post