SoftwareTestPilot
Test Case DesignPublished: 14 min read

Test Cases for Login Page: 50 Examples + Free Template (2026)

50 production-grade test cases for a login page — UI, functional, validation, security, session, accessibility and performance. Free CSV template download.

Avinash Kamble
Founder & QA Engineer at SoftwareTestPilot
Reviewed by Priyanka G.
Share:XLinkedInWhatsApp
Test cases for login page — editorial illustration of a login form with checkmarks, magnifying glass and a security shield.
Test cases for login page — editorial illustration of a login form with checkmarks, magnifying glass and a security shield.

Last updated: July 12, 2026 · 14 min read · Reviewed by Priyanka G.

Writing test cases for a login page is the #1 QA exercise in interviews and the most common regression suite you will ever own. This guide gives you 50 production-grade test cases covering UI, functional, validation, security, session, accessibility and performance — plus a free CSV template you can drop straight into Jira, TestRail, Xray or Zephyr.

If you are new to test case writing, start with our Manual Testing Complete Guide and the How to Write Test Cases for a Login Page primer, then come back here for the full 50-case suite.

Download the 50-case template (free)

Grab the CSV, import it into your test management tool, and edit as needed. Columns match the ISTQB test-case template: TC_ID, Category, Title, Preconditions, Test Steps, Test Data, Expected Result, Priority, Status.

50 login test cases — CSV template

Ready for Jira, TestRail, Xray, Zephyr Scale, Excel or Google Sheets · ~6 KB

Download CSV

Login page anatomy — what to test

Before writing test cases, identify every element on the page. A modern login page usually contains:

  • Email / Username field
  • Password field with show/hide toggle
  • Remember me checkbox
  • Sign in button (primary CTA)
  • Forgot password link
  • Sign up / Create account link
  • Social login buttons (Google, Apple, Microsoft)
  • Error / success message region (with role="alert")
  • CAPTCHA or rate-limit banner (conditional)
  • Legal footer (Terms, Privacy)

Every element above maps to at least one test case in the sections below.

Test case template (one row = one case)

TC_ID: TC_FN_001
Category: Functional
Title: Successful login with valid credentials
Preconditions: Verified account exists; user is logged out
Test Steps:
  1. Navigate to /login
  2. Enter admin@example.com in the Email field
  3. Enter Sup3rSecret! in the Password field
  4. Click Sign in
Test Data: admin@example.com / Sup3rSecret!
Expected Result: HTTP 302 redirect to /dashboard; welcome banner shows user name
Priority: P0 (blocker)
Status: Pass / Fail / Blocked

Priority scale used below: P0 = release blocker, P1 = smoke suite, P2 = full regression, P3 = nice-to-have / weekly.

UI test cases (8) — TC_UI_001–008

IDTest caseExpected resultPriority
TC_UI_001Login page renders all elementsEmail, Password, Remember me, Sign in, Forgot password, Sign up and social buttons all visibleP2
TC_UI_002Password field masks inputCharacters shown as bullets/asterisks; never plain textP0
TC_UI_003Show/hide password toggle worksPassword becomes visible then masked again on second clickP2
TC_UI_004Sign in button disabled until both fields filledDisabled → disabled → enabledP1
TC_UI_005Layout responsive at 375×667 (iPhone SE)Fields stack vertically; no horizontal scrollP2
TC_UI_006Layout responsive at 1440×900 (desktop)Form centered; no clippingP3
TC_UI_007Placeholder text matches spec“you@example.com” and “Enter password”P3
TC_UI_008Focus outline visible on keyboard tabVisible focus ring on every interactive elementP1

Functional test cases (12) — TC_FN_001–012

IDTest caseExpected resultPriority
TC_FN_001Login succeeds with valid credentialsRedirect to /dashboard with welcome messageP0
TC_FN_002Login fails with wrong passwordGeneric error; user stays on /loginP0
TC_FN_003Login fails with unknown emailSame generic error (prevents user enumeration)P0
TC_FN_004Email is case-insensitiveADMIN@EXAMPLE.COM logs inP1
TC_FN_005Password is case-sensitiveWrong case failsP0
TC_FN_006Leading/trailing spaces in email are trimmedLogin succeedsP2
TC_FN_007Enter key submits the formSame behaviour as clicking Sign inP1
TC_FN_008Remember me keeps user logged in across browser restartUser still logged in on /dashboardP1
TC_FN_009Forgot password link navigates to /forgot-passwordCorrect redirectP1
TC_FN_010Sign up link navigates to /signupCorrect redirectP2
TC_FN_011Google social login initiates OAuth flowUser logged in via Google and redirected to /dashboardP1
TC_FN_012Deep-link redirect after loginUser returned to originally requested /dashboard/settingsP1

Field validation test cases (8) — TC_VAL_001–008

IDTest caseExpected resultPriority
TC_VAL_001Empty email shows required errorError: Email is requiredP1
TC_VAL_002Empty password shows required errorError: Password is requiredP1
TC_VAL_003Invalid email format shows format errorError: Please enter a valid email addressP1
TC_VAL_004Email longer than 254 characters rejectedClient-side error before submitP2
TC_VAL_005Password shorter than 8 characters rejectedError: min lengthP2
TC_VAL_006Password longer than 128 characters rejected or cappedField caps or length error shownP2
TC_VAL_007Unicode/emoji password acceptedLogin succeeds (UTF-8 safe)P3
TC_VAL_008Whitespace-only password rejectedError: Password is requiredP2

These map directly to Equivalence Partitioning and Boundary Value Analysis — see the linked article for the theory.

Security test cases (10) — TC_SEC_001–010

IDTest caseExpected resultPriority
TC_SEC_001SQL injection in email fieldGeneric invalid credentials; no query executedP0
TC_SEC_002XSS payload in email fieldPayload sanitized; script never executesP0
TC_SEC_003Rate limiting after 5 failed attemptsAccount temporarily locked; rate-limit banner shownP0
TC_SEC_004HTTPS is enforcedHTTP redirects 301/302 to HTTPSP0
TC_SEC_005Password field has autocomplete="current-password"Attribute present on the inputP2
TC_SEC_006Error does not reveal which field is wrongSame message for bad email and bad passwordP0
TC_SEC_007Password never sent in URL query stringPOST body only; not in URL or RefererP0
TC_SEC_008CSRF token is present and validatedMissing/invalid token → 403 ForbiddenP0
TC_SEC_009Session token rotates after loginSession ID differs pre- vs post-loginP0
TC_SEC_010Password not visible in DOM after submitInput cleared; value not retained in memoryP1

For a deeper security walkthrough, see our Security Testing for QA guide and the OWASP Top 10 reference.

Session & cookie test cases (4) — TC_SES_001–004

IDTest caseExpected resultPriority
TC_SES_001Session cookie has HttpOnly, Secure and SameSite flagsAll three flags present on the session cookieP0
TC_SES_002Session expires after idle timeoutAfter 30 min idle, protected click redirects to /loginP1
TC_SES_003Logout invalidates the sessionBack button cannot restore an authenticated pageP0
TC_SES_004Concurrent logins are handled per policyEither both remain valid or Device A is signed out, per specP2

Accessibility test cases (5) — TC_A11Y_001–005

IDTest caseExpected resultPriority
TC_A11Y_001All form fields have associated labelsEach input has <label for="…">P1
TC_A11Y_002Tab order is logicalemail → password → remember → sign in → forgot → sign upP1
TC_A11Y_003Error messages have role="alert"Screen reader announces the error immediatelyP1
TC_A11Y_004Color contrast meets WCAG AA (4.5:1)All text passes 4.5:1 contrast in axe/LighthouseP1
TC_A11Y_005Form usable with keyboard onlyFull flow completes without a mouseP1

See our WCAG Accessibility Testing Guide for the full checklist beyond login.

Performance test cases (3) — TC_PERF_001–003

IDTest caseExpected resultPriority
TC_PERF_001Login page loads in under 2 secondsTime-to-Interactive < 2000 ms on 4G throttlingP1
TC_PERF_002Login POST responds in under 500 msP95 response time < 500 msP1
TC_PERF_003Holds up under 100 concurrent usersError rate < 1%, P95 < 1sP2

Automate TC_PERF_002 and TC_PERF_003 with k6 or JMeter.

Priority matrix — what to run when

P0 — Smoke (every deploy, must pass)

  • TC_FN_001, TC_FN_002, TC_FN_003, TC_FN_005
  • TC_SEC_001, TC_SEC_002, TC_SEC_003, TC_SEC_004, TC_SEC_006, TC_SEC_007, TC_SEC_008, TC_SEC_009
  • TC_SES_001, TC_SES_003
  • TC_UI_002

P1 — Sanity (every PR)

  • TC_FN_004, TC_FN_007–012
  • TC_VAL_001–003
  • TC_UI_004, TC_UI_008
  • TC_SES_002, TC_SEC_010
  • TC_A11Y_001–005, TC_PERF_001–002

P2 — Full regression (nightly)

  • TC_UI_001, TC_UI_003, TC_UI_005
  • TC_FN_006, TC_VAL_004–006, TC_VAL_008
  • TC_SEC_005, TC_SES_004, TC_PERF_003

P3 — Weekly / pre-release

  • TC_UI_006, TC_UI_007, TC_VAL_007

Which cases to automate first

You will never automate all 50 on day one. Start with the highest ROI:

  1. P0 functional (TC_FN_001–005) — 30-min Playwright script, runs on every PR. See our Playwright Complete Guide.
  2. P0 security (TC_SEC_001–004, TC_SEC_006) — Playwright + OWASP ZAP Baseline in CI.
  3. Accessibility (TC_A11Y_001–004)@axe-core/playwright assertion in the same login spec.
  4. Performance (TC_PERF_002, TC_PERF_003) — k6 script hitting /api/login, run nightly.

Practice Playwright login-flow patterns with our Playwright interview question bank.

Common mistakes to avoid

  • Testing only the happy path. Interviewers and users both find bugs in the failure branches.
  • Leaking which field is wrong. “Wrong password” vs “Unknown email” lets attackers enumerate accounts.
  • Skipping session rotation (TC_SEC_009). Session fixation is a top-5 OWASP issue.
  • Hard-coding sleeps in automation. Use auto-waiting locators; see our Playwright locators guide.
  • Forgetting the mobile viewport. More than 60% of logins happen on mobile.

Frequently asked questions

1.How many test cases should I write for a login page?
For a production login page, 40–60 test cases across UI, functional, validation, security, session, accessibility and performance is the industry norm. This guide gives you 50 — use the CSV template as a starting point and trim to your risk profile.
2.What is the most important test case for a login page?
TC_FN_001 (successful login) is the release blocker — if it fails nothing else matters. After that, the P0 security cases (rate limiting, HTTPS, CSRF, session rotation and generic error messaging) matter most because they prevent real-world attacks.
3.Should I automate all 50 test cases?
No. Automate all P0 and P1 cases (about 30 cases) with Playwright, plus TC_A11Y_001–004 with @axe-core/playwright and TC_PERF_002–003 with k6. Leave P3 cases as manual checks in the release checklist.
4.How do I test the Forgot password flow?
Verify (1) the link navigates to /forgot-password, (2) submitting a valid email returns the same success message as an unknown email (no enumeration), (3) the reset email arrives with a signed, time-limited token, and (4) the reset link expires after single use.
5.What tools should I use to test a login page?
Playwright or Cypress for functional and accessibility automation, OWASP ZAP for security scanning, axe-core or Lighthouse for accessibility audits, and k6 or JMeter for performance.
6.Do the same test cases apply to a mobile app login?
Most do — swap the browser-specific cases (TC_SEC_004 HTTPS, TC_SEC_005 autocomplete) for platform equivalents like certificate pinning and biometric unlock. See our Appium tutorial for mobile automation patterns.
7.Can I use this template for signup and forgot-password pages?
Yes — the CSV structure is generic. Duplicate the sheet, change TC_ID prefixes (TC_SU_ for signup, TC_FP_ for forgot password) and adapt the functional cases. The UI, validation, security and accessibility rows carry over almost unchanged.
Keep going

Practice these questions

Run a live QA mock interview tailored to this topic and get per-skill scoring in minutes.

Found this useful?
Share:XLinkedInWhatsApp

Was this article helpful?

Cluster · Manual Testing

More from Test Case Writing

Effective test cases, templates, examples.

Pillar guide · 4 articles
More in this cluster
From the Manual Testing pillar

Keep building your QA edge

Continue reading

Join the QA Community

Connect with fellow testers, share job leads, and get career advice.

Premium QA Resources

Stop Reinventing the Wheel. Upgrade Your QA Arsenal.

Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.

  • Ready-to-use testing strategy templates
  • Advanced API & UI automation guides
  • ⏱️ Save 10+ hours a week on test planning
4.9/5 rating
Explore All Products

⭐⭐⭐⭐⭐ Trusted by 1,000+ Software Test Pilots • Instant Access