Skip to content

FEA135 – Secure User Login

Test Case: FEA135 – Secure User Login

  • Test Case description: Verify that users can log in securely using HTTPS and that authentication mechanisms protect sensitive user data.
  • Test Case ID: TC_FEA200_001
  • Author/Designer: [AE9947]
  • Date of creation: [01.04.2025]
  • Class: Functional

Test description / objective

This test case will verify that secure login functionality is implemented correctly, ensuring that user credentials and purchase history remain protected through HTTPS and authentication mechanisms.

Links to requirements or other sources

Test pre-state

  • HTTPS is enabled and configured on the server.
  • The system has a login page accessible via HTTPS.
  • The database contains registered user credentials.
  • The shop owner has user management access.

Test steps

  1. Verify HTTPS Enforcement:

    • Open the login page and check if it is served over HTTPS.
    • Try accessing the login page over HTTP and verify that the request is redirected to HTTPS.

  2. Verify Secure User Login:

    • Enter valid user credentials and attempt to log in.
    • Verify that authentication is successful and that the session is established securely.

  3. Verify Invalid Credentials Handling:

    • Enter incorrect credentials and check that an error message is displayed.
    • Ensure that no sensitive details are leaked in the error message.

  4. Verify Brute Force Protection:

    • Attempt multiple failed logins and check if the account is temporarily locked.
    • Ensure that CAPTCHA or multi-factor authentication (MFA) is triggered after repeated failed attempts.

  5. Verify Secure Session Handling:

    • Log in and inspect session cookies to ensure they are marked as Secure and HttpOnly.
    • Check if the session expires after a period of inactivity.

  6. Verify Shop Owner Access:

    • Log in as a shop owner and confirm that they can manage client access securely.
    • Ensure that customer purchase history is accessible only to authorized users.

Test end-state

  • Users are only able to log in via HTTPS.
  • Authentication is secure, and credentials are not exposed.
  • Brute force protection mechanisms prevent unauthorized access attempts.
  • Sessions are properly managed and expire after inactivity.
  • Shop owners can manage customer access securely without exposing sensitive data.

To be taken into account during test

  • Ensure that the HTTPS certificate is valid and properly configured.
  • Confirm that session management adheres to security best practices.
  • Verify that security headers (e.g., Strict-Transport-Security, Content-Security-Policy) are set correctly.

Test result (Pass/Fail Criteria)

  • PASS condition: Users can log in securely via HTTPS, authentication works correctly, and all security measures function as expected.
  • FAIL condition: If login is possible over HTTP, authentication fails, brute force protection is missing, or sessions are not properly secured.
Edited by AE9947