How would you test a login page?

Clarify first

• What authentication methods are supported — email/password only, or SSO/MFA as well?
• What is the lockout policy after failed attempts, and is the account locked or just rate-limited?
• Does "Remember me" exist, and how long does the session persist?
• Is there a "Login as" / impersonation feature for admins?

Functional

• Valid credentials redirect to the correct landing page for the user's role
• Case-insensitive email matching (alice@example.com = ALICE@EXAMPLE.COM)
• "Remember me" persists the session across browser restarts for the configured duration
• Post-login redirect preserves the originally requested URL (deep-link)

Negative / error handling

• Wrong password → generic error (no hint whether email exists)
• Unregistered email → same generic error (prevents account enumeration)
• Empty username, empty password, both empty → meaningful field-level validation
• Account locked after N failed attempts → clear message; re-login blocked until unlocked

Edge & boundary

• Credentials at maximum field length
• Special characters and Unicode in the password field
• Concurrent logins from the same account (should last session be invalidated?)
• Session expiry during active use — redirect to login, preserve intent

Security

• HTTPS enforced; credentials never appear in the URL or server logs
• CSRF protection on the login form (token present and validated)
• Session token rotated on successful login (session fixation prevention)
• Brute-force protection: rate limiting or CAPTCHA after repeated failures

Accessibility

• Full keyboard navigation; form submits on Enter
• Field labels correctly associated; error messages linked via aria-describedby
• Screen reader announces login failure clearly

Close: automate functional cases, negative validations, and security checks (CSRF token, session rotation, enumeration). Keep exploratory for lockout UX, post-lockout recovery flow, and deep-link redirect edge cases.