How to Write Test Cases for a Login Page (with Examples)
Step-by-step guide to writing test cases for a login page with 30+ real examples. Covers UI, functional, validation, security, and accessibility test cases for QA engineers.

In this article
Last updated: June 27, 2026 · 7 min read
A login page is the #1 test case exercise in QA interviews. This guide gives you 30+ production-grade test cases covering UI, functional, validation, security, and accessibility. Pair it with our Manual Testing Complete Guide and the Software Testing Interview Questions master list.
Login Page Anatomy
Before writing test cases, identify the components:
- Email / Username field
- Password field
- "Show password" toggle
- "Remember me" checkbox
- "Forgot password?" link
- "Sign in" button
- "Sign up" link
- Error message area
- Social login buttons (Google, Apple, etc.)
- CAPTCHA (when applicable)
UI Test Cases
TC_UI_001 — Email field is visible and editable
- Navigate to /login
- Verify email field is visible
- Verify field accepts text input
TC_UI_002 — Password field masks input
- Navigate to /login
- Click password field
- Type
TestPass123! - Verify input is shown as bullets/asterisks, not plain text
TC_UI_003 — Sign in button is disabled until both fields are filled
- Navigate to /login
- Verify Sign in button is disabled
- Fill email; verify button is still disabled
- Fill password; verify button is now enabled
TC_UI_004 — Layout is responsive on mobile
- Set viewport to 375x667 (iPhone)
- Navigate to /login
- Verify all fields stack vertically and are visible without horizontal scroll
Functional Test Cases
TC_FN_001 — Successful login with valid credentials
- Navigate to /login
- Enter
admin@example.comas email - Enter
Sup3rSecret!as password - Click "Sign in"
- Verify redirect to /dashboard and welcome message displays user name
TC_FN_002 — Failed login with wrong password
- Enter valid email and wrong password
- Click "Sign in"
- Verify error message: Invalid email or password
- Verify user remains on /login
TC_FN_003 — Login is case-insensitive for email
- Enter
ADMIN@EXAMPLE.COMwith correct password - Verify login succeeds (emails are case-insensitive)
TC_FN_004 — Remember me keeps user logged in
- Check "Remember me" and login successfully
- Close and re-open browser
- Navigate to /dashboard and verify user is still logged in
Validation Test Cases
TC_VAL_001 — Empty email field shows required error
Leave email empty, click Sign in, verify error: Email is required.
TC_VAL_002 — Invalid email format shows format error
Enter not-an-email, click Sign in, verify error: Please enter a valid email address.
TC_VAL_003 — Empty password field shows required error
Enter valid email, leave password empty, click Sign in, verify error: Password is required.
TC_VAL_004 — SQL injection in email field is rejected
Enter ' OR '1'='1 as email and any password. Verify error message (no SQL executed).
TC_VAL_005 — XSS in email field is sanitized
Enter <script>alert('xss')</script> as email. Verify error message (script not executed).
Security Test Cases
TC_SEC_001 — Rate limiting after 5 failed attempts
Enter wrong password 5 times; verify account is temporarily locked and rate-limit message displayed.
TC_SEC_002 — Password field has correct autocomplete
Inspect password field; verify autocomplete="current-password" is set (or off for high security).
TC_SEC_003 — HTTPS is enforced
Navigate to http://example.com/login; verify redirect to https://example.com/login.
TC_SEC_004 — Session token is set with HttpOnly and Secure flags
Login successfully, inspect cookies in DevTools, verify session cookie has HttpOnly and Secure flags.
TC_SEC_005 — Login response doesn't leak which field is wrong
Enter valid email + wrong password and verify error: Invalid email or password (NOT Wrong password). This prevents email enumeration attacks.
For more secure-by-design patterns, see our Security Testing for QA guide.
Accessibility Test Cases
TC_A11Y_001 — All form fields have associated labels
Inspect email field; verify <label for="email"> exists.
TC_A11Y_002 — Tab order is logical
Press Tab repeatedly; verify focus order: email → password → remember me → sign in.
TC_A11Y_003 — Screen reader announces field labels
Focus email field with screen reader enabled; verify it announces Email, edit text.
TC_A11Y_004 — Error messages have role="alert"
Trigger a validation error; inspect error element and verify role="alert" is set.
Performance Test Cases
TC_PERF_001 — Login page loads in under 2 seconds
- Clear cache
- Navigate to /login
- Measure load time
- Verify load completes in < 2000ms
For load and stress patterns on the auth endpoint, see k6 vs JMeter.
How to Write a Test Case (Template)
TC_ID: TC_FN_001
Title: Successful login with valid credentials
Preconditions: User account exists; user is logged out
Priority: High
Linked Requirement: REQ-AUTH-001
Steps:
1. Navigate to /login
2. Enter "admin@example.com" as email
3. Enter "Sup3rSecret!" as password
4. Click "Sign in"
Expected Result: User is redirected to /dashboard with welcome messageHow to Prioritize Test Cases for Execution
Not all test cases are equal. Use this priority framework:
P0 — Critical (must pass before every release)
- TC_FN_001 (successful login)
- TC_SEC_003 (HTTPS enforced)
- TC_SEC_004 (HttpOnly cookies)
P1 — High (run on every build)
- TC_FN_002 (failed login)
- TC_VAL_001 / TC_VAL_003 (required fields)
- TC_SEC_001 (rate limiting)
P2 — Medium (run on every PR)
- TC_UI_001–004 (UI rendering)
- TC_FN_003 / TC_FN_004 (case-insensitive email, remember me)
- TC_VAL_002 / TC_VAL_004–005 (validation edge cases)
P3 — Low (run weekly or pre-release)
- TC_A11Y_001–004 (accessibility)
- TC_PERF_001 (performance)
This prioritization helps you build a fast smoke suite (P0+P1) that runs in < 5 minutes, plus a deeper regression that runs nightly. For more, see our Manual Testing Complete Guide and the ISTQB Foundation Study Guide.
Continue your learning
Frequently asked questions
How many test cases should a login page have?
For a typical login page: 30–60 test cases covering UI, functional, validation, security, and accessibility.
What is the most important test case for login?
Successful login (TC_FN_001) — if this fails, nothing else matters. Rate limiting (TC_SEC_001) prevents brute force, and HTTPS enforcement (TC_SEC_003) prevents credential interception.
How do you test the Forgot password link?
Verify it navigates to /forgot-password, accepts an email, sends a reset email (mocked), and the reset link in the email works to set a new password.
What tools should I use to test login pages?
Manual testing across multiple browsers, OWASP ZAP for security scanning, Lighthouse for accessibility, and JMeter or k6 for performance.
Should login test cases be automated?
Yes — P0 and P1 cases (successful login, failed login, validation, rate limiting) should be automated as part of the smoke suite. P3 cases like accessibility can remain manual or use axe-core in CI.
Practice these questions
Run a live QA mock interview tailored to this topic and get per-skill scoring in minutes.
Was this article helpful?
Keep building your QA edge
Pillar guidesContinue reading
Join the QA Community
Connect with fellow testers, share job leads, and get career advice.
Stop Reinventing the Wheel. Upgrade Your QA Arsenal.
Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.
- ⚡ Ready-to-use testing strategy templates
- 🔥 Advanced API & UI automation guides
- ⏱️ Save 10+ hours a week on test planning


