Test Cases for Login Page: 50 Examples + Free Template (2026)
50 production-grade test cases for a login page — UI, functional, validation, security, session, accessibility and performance. Free CSV template download.

Last updated: July 12, 2026 · 14 min read · Reviewed by Priyanka G.
Writing test cases for a login page is the #1 QA exercise in interviews and the most common regression suite you will ever own. This guide gives you 50 production-grade test cases covering UI, functional, validation, security, session, accessibility and performance — plus a free CSV template you can drop straight into Jira, TestRail, Xray or Zephyr.
If you are new to test case writing, start with our Manual Testing Complete Guide and the How to Write Test Cases for a Login Page primer, then come back here for the full 50-case suite.
Download the 50-case template (free)
Grab the CSV, import it into your test management tool, and edit as needed. Columns match the ISTQB test-case template: TC_ID, Category, Title, Preconditions, Test Steps, Test Data, Expected Result, Priority, Status.
50 login test cases — CSV template
Ready for Jira, TestRail, Xray, Zephyr Scale, Excel or Google Sheets · ~6 KB
Login page anatomy — what to test
Before writing test cases, identify every element on the page. A modern login page usually contains:
- Email / Username field
- Password field with show/hide toggle
- Remember me checkbox
- Sign in button (primary CTA)
- Forgot password link
- Sign up / Create account link
- Social login buttons (Google, Apple, Microsoft)
- Error / success message region (with
role="alert") - CAPTCHA or rate-limit banner (conditional)
- Legal footer (Terms, Privacy)
Every element above maps to at least one test case in the sections below.
Test case template (one row = one case)
TC_ID: TC_FN_001
Category: Functional
Title: Successful login with valid credentials
Preconditions: Verified account exists; user is logged out
Test Steps:
1. Navigate to /login
2. Enter admin@example.com in the Email field
3. Enter Sup3rSecret! in the Password field
4. Click Sign in
Test Data: admin@example.com / Sup3rSecret!
Expected Result: HTTP 302 redirect to /dashboard; welcome banner shows user name
Priority: P0 (blocker)
Status: Pass / Fail / BlockedPriority scale used below: P0 = release blocker, P1 = smoke suite, P2 = full regression, P3 = nice-to-have / weekly.
UI test cases (8) — TC_UI_001–008
| ID | Test case | Expected result | Priority |
|---|---|---|---|
| TC_UI_001 | Login page renders all elements | Email, Password, Remember me, Sign in, Forgot password, Sign up and social buttons all visible | P2 |
| TC_UI_002 | Password field masks input | Characters shown as bullets/asterisks; never plain text | P0 |
| TC_UI_003 | Show/hide password toggle works | Password becomes visible then masked again on second click | P2 |
| TC_UI_004 | Sign in button disabled until both fields filled | Disabled → disabled → enabled | P1 |
| TC_UI_005 | Layout responsive at 375×667 (iPhone SE) | Fields stack vertically; no horizontal scroll | P2 |
| TC_UI_006 | Layout responsive at 1440×900 (desktop) | Form centered; no clipping | P3 |
| TC_UI_007 | Placeholder text matches spec | “you@example.com” and “Enter password” | P3 |
| TC_UI_008 | Focus outline visible on keyboard tab | Visible focus ring on every interactive element | P1 |
Functional test cases (12) — TC_FN_001–012
| ID | Test case | Expected result | Priority |
|---|---|---|---|
| TC_FN_001 | Login succeeds with valid credentials | Redirect to /dashboard with welcome message | P0 |
| TC_FN_002 | Login fails with wrong password | Generic error; user stays on /login | P0 |
| TC_FN_003 | Login fails with unknown email | Same generic error (prevents user enumeration) | P0 |
| TC_FN_004 | Email is case-insensitive | ADMIN@EXAMPLE.COM logs in | P1 |
| TC_FN_005 | Password is case-sensitive | Wrong case fails | P0 |
| TC_FN_006 | Leading/trailing spaces in email are trimmed | Login succeeds | P2 |
| TC_FN_007 | Enter key submits the form | Same behaviour as clicking Sign in | P1 |
| TC_FN_008 | Remember me keeps user logged in across browser restart | User still logged in on /dashboard | P1 |
| TC_FN_009 | Forgot password link navigates to /forgot-password | Correct redirect | P1 |
| TC_FN_010 | Sign up link navigates to /signup | Correct redirect | P2 |
| TC_FN_011 | Google social login initiates OAuth flow | User logged in via Google and redirected to /dashboard | P1 |
| TC_FN_012 | Deep-link redirect after login | User returned to originally requested /dashboard/settings | P1 |
Field validation test cases (8) — TC_VAL_001–008
| ID | Test case | Expected result | Priority |
|---|---|---|---|
| TC_VAL_001 | Empty email shows required error | Error: Email is required | P1 |
| TC_VAL_002 | Empty password shows required error | Error: Password is required | P1 |
| TC_VAL_003 | Invalid email format shows format error | Error: Please enter a valid email address | P1 |
| TC_VAL_004 | Email longer than 254 characters rejected | Client-side error before submit | P2 |
| TC_VAL_005 | Password shorter than 8 characters rejected | Error: min length | P2 |
| TC_VAL_006 | Password longer than 128 characters rejected or capped | Field caps or length error shown | P2 |
| TC_VAL_007 | Unicode/emoji password accepted | Login succeeds (UTF-8 safe) | P3 |
| TC_VAL_008 | Whitespace-only password rejected | Error: Password is required | P2 |
These map directly to Equivalence Partitioning and Boundary Value Analysis — see the linked article for the theory.
Security test cases (10) — TC_SEC_001–010
| ID | Test case | Expected result | Priority |
|---|---|---|---|
| TC_SEC_001 | SQL injection in email field | Generic invalid credentials; no query executed | P0 |
| TC_SEC_002 | XSS payload in email field | Payload sanitized; script never executes | P0 |
| TC_SEC_003 | Rate limiting after 5 failed attempts | Account temporarily locked; rate-limit banner shown | P0 |
| TC_SEC_004 | HTTPS is enforced | HTTP redirects 301/302 to HTTPS | P0 |
| TC_SEC_005 | Password field has autocomplete="current-password" | Attribute present on the input | P2 |
| TC_SEC_006 | Error does not reveal which field is wrong | Same message for bad email and bad password | P0 |
| TC_SEC_007 | Password never sent in URL query string | POST body only; not in URL or Referer | P0 |
| TC_SEC_008 | CSRF token is present and validated | Missing/invalid token → 403 Forbidden | P0 |
| TC_SEC_009 | Session token rotates after login | Session ID differs pre- vs post-login | P0 |
| TC_SEC_010 | Password not visible in DOM after submit | Input cleared; value not retained in memory | P1 |
For a deeper security walkthrough, see our Security Testing for QA guide and the OWASP Top 10 reference.
Session & cookie test cases (4) — TC_SES_001–004
| ID | Test case | Expected result | Priority |
|---|---|---|---|
| TC_SES_001 | Session cookie has HttpOnly, Secure and SameSite flags | All three flags present on the session cookie | P0 |
| TC_SES_002 | Session expires after idle timeout | After 30 min idle, protected click redirects to /login | P1 |
| TC_SES_003 | Logout invalidates the session | Back button cannot restore an authenticated page | P0 |
| TC_SES_004 | Concurrent logins are handled per policy | Either both remain valid or Device A is signed out, per spec | P2 |
Accessibility test cases (5) — TC_A11Y_001–005
| ID | Test case | Expected result | Priority |
|---|---|---|---|
| TC_A11Y_001 | All form fields have associated labels | Each input has <label for="…"> | P1 |
| TC_A11Y_002 | Tab order is logical | email → password → remember → sign in → forgot → sign up | P1 |
| TC_A11Y_003 | Error messages have role="alert" | Screen reader announces the error immediately | P1 |
| TC_A11Y_004 | Color contrast meets WCAG AA (4.5:1) | All text passes 4.5:1 contrast in axe/Lighthouse | P1 |
| TC_A11Y_005 | Form usable with keyboard only | Full flow completes without a mouse | P1 |
See our WCAG Accessibility Testing Guide for the full checklist beyond login.
Performance test cases (3) — TC_PERF_001–003
| ID | Test case | Expected result | Priority |
|---|---|---|---|
| TC_PERF_001 | Login page loads in under 2 seconds | Time-to-Interactive < 2000 ms on 4G throttling | P1 |
| TC_PERF_002 | Login POST responds in under 500 ms | P95 response time < 500 ms | P1 |
| TC_PERF_003 | Holds up under 100 concurrent users | Error rate < 1%, P95 < 1s | P2 |
Priority matrix — what to run when
P0 — Smoke (every deploy, must pass)
- TC_FN_001, TC_FN_002, TC_FN_003, TC_FN_005
- TC_SEC_001, TC_SEC_002, TC_SEC_003, TC_SEC_004, TC_SEC_006, TC_SEC_007, TC_SEC_008, TC_SEC_009
- TC_SES_001, TC_SES_003
- TC_UI_002
P1 — Sanity (every PR)
- TC_FN_004, TC_FN_007–012
- TC_VAL_001–003
- TC_UI_004, TC_UI_008
- TC_SES_002, TC_SEC_010
- TC_A11Y_001–005, TC_PERF_001–002
P2 — Full regression (nightly)
- TC_UI_001, TC_UI_003, TC_UI_005
- TC_FN_006, TC_VAL_004–006, TC_VAL_008
- TC_SEC_005, TC_SES_004, TC_PERF_003
P3 — Weekly / pre-release
- TC_UI_006, TC_UI_007, TC_VAL_007
Which cases to automate first
You will never automate all 50 on day one. Start with the highest ROI:
- P0 functional (TC_FN_001–005) — 30-min Playwright script, runs on every PR. See our Playwright Complete Guide.
- P0 security (TC_SEC_001–004, TC_SEC_006) — Playwright + OWASP ZAP Baseline in CI.
- Accessibility (TC_A11Y_001–004) —
@axe-core/playwrightassertion in the same login spec. - Performance (TC_PERF_002, TC_PERF_003) — k6 script hitting
/api/login, run nightly.
Practice Playwright login-flow patterns with our Playwright interview question bank.
Common mistakes to avoid
- Testing only the happy path. Interviewers and users both find bugs in the failure branches.
- Leaking which field is wrong. “Wrong password” vs “Unknown email” lets attackers enumerate accounts.
- Skipping session rotation (TC_SEC_009). Session fixation is a top-5 OWASP issue.
- Hard-coding sleeps in automation. Use auto-waiting locators; see our Playwright locators guide.
- Forgetting the mobile viewport. More than 60% of logins happen on mobile.
Continue your learning
- Download the 50-case CSV template
- How to Write Test Cases for a Login Page (primer)
- Manual Testing Complete Guide
- Security Testing for QA
- Accessibility Testing (WCAG) Guide
- Software Testing Interview Questions
- Scenario-based testing interview questions
- Practice with AI Mock Interview
- OWASP Top 10 (official)
Frequently asked questions
1.How many test cases should I write for a login page?
2.What is the most important test case for a login page?
3.Should I automate all 50 test cases?
4.How do I test the Forgot password flow?
5.What tools should I use to test a login page?
6.Do the same test cases apply to a mobile app login?
7.Can I use this template for signup and forgot-password pages?
Practice these questions
Run a live QA mock interview tailored to this topic and get per-skill scoring in minutes.
Was this article helpful?
More from Test Case Writing
Effective test cases, templates, examples.
- Career & Interview PrepThe 3-Minute Whiteboard Testing Trick That Impresses Interviewers (ACCORD Framework)
- AI in TestingHow to Use Claude AI for Test Case Generation (2026 Guide + Prompts)
- AI in TestingHow to Use ChatGPT & AI to Write Test Cases (Without Fluff) in 2026
Keep building your QA edge
Pillar guides- AI Mock InterviewSoftwareTestPilot's AI interview coachLive AI-powered mock interviews with rubric feedback.
- ATS Resume ReviewSoftwareTestPilot's ATS resume checkerFree AI ATS scoring with rewrite suggestions.
- QA Jobs RadarSoftwareTestPilot's QA jobs boardLive QA / SDET / automation job feed, refreshed daily.
Continue reading
Selenium Interview Questions for 1 Year Experience (2026 Complete Guide)
22 min readSelenium Interview Questions for 3 Years Experience (2026 Complete Guide)
24 min readSelenium Interview Questions for 5 Years Experience (2026 Complete Guide)
26 min readJoin the QA Community
Connect with fellow testers, share job leads, and get career advice.
Stop Reinventing the Wheel. Upgrade Your QA Arsenal.
Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.
- Ready-to-use testing strategy templates
- Advanced API & UI automation guides
- ⏱️ Save 10+ hours a week on test planning