Presentation on theme: "Reusable Test Case For Login Module Author: Ashwin C Reference: Q-Patterns by Vipul Kocher from PureTesting.com Version No: 1.0 Created Date: 02/08/2007."— Presentation transcript:
Reusable Test Case For Login Module Author: Ashwin C Reference: Q-Patterns by Vipul Kocher from PureTesting.com Version No: 1.0 Created Date: 02/08/2007
Slide 2 A quick introduction What this presentation is about: –These are a set of test questions that will help validate the ‘authentication’ module of the product. The questions are categorized into: –Functionality questions –User Interface questions –Security questions –Appendix Who can use this? –Test engineers who need to test web based authentication –Developers who need to implement this module –Designers involved in specifying the authentication design
Slide 3 Functionality User-Id/Password constraints/properties –What is the min/max length of User-Id/Password? –Are they mandatory to be alphanumeric/numeric only? –Should the password contain at least one special character/non- alphabet? –Is User-Id/Password case sensitive? –Are Blank password allowed? –Can characters like #,$,or accented characters such as ç,è be used? –Can Password contain only space? –Can space be allowed in between User-Id/Password? –Is trimming done for Leading/Trailing White Spaces? Successful Login –Is the next screen presented to the User based on User Role? –Can a User Log into the application multiple times, without logging out?
Slide 4 Functionality continued Login failure, is there a limit on number of attempts? –What is the number of allowed retries for login failure? –What happens after all retries are exhausted? Password change –Test for ‘new password’ and ‘confirm password’ to be identical –Try with CAPS and small letters –Try with one password having leading/trailing spaces –Can it be reset to the same password again? –Can it be reset to a previously used password? Can User request a password reset, if he has forgotten the password?
Slide 5 User Interface What is the strategy for conveying login failure? –Exact error cause (User does not exist, password is incorrect) shown or a generic message about any one of them being incorrect shown? –Where is cursor placed after login failure message is dismissed? –User-Id/password or both blanked out after incorrect login? Verification of the error message for clarity/communication in the below scenarios –When number of retries exceeds the configured value. –When an "Inactive/Locked" User tries to Login. –Does field name displayed in the Screen/UI and that displayed in the error message match? Key Usage –Is the password cleared, when the browser Back button is used after Login?
Slide 6 Security Login, copy the browser URL, sign-out and paste the URL and try to break in Login, logout, go ‘back’ and try to use the application – it should fail Test for ‘SQL injection’ Are they encrypted before storing? If yes what is the encryption algorithm used? Are encrypted passwords accepted ? Encryption before transmission? Number of failed login allowed ? Display of password in debug logs? Expiry of session after some interval of inactivity?
Slide 7 Appendix – Additional test questions Response time performance –What is the time taken for authentication? (It may depend upon…) –Repository for password storage –Encryption algorithm –Connectivity –What is the time taken for displaying next screen? –What is the time taken for notification of login failure? –What is the response time for above scenarios when there are multiple simultaneous logins happening? Storage performance –Is the storage independent of User-Id and password length? –Does the storage adjust itself when Users are deleted?
Slide 8 Appendix – continued Is there a ‘Auto load the Password’ feature? –When a user specifies the login name, password gets pre- populated –Can this be turned off? –Can saved passwords be “unsaved”? –What is the limit on number of saved used id-password combinations? –Where is this information saved? Is there a ‘Remember Me’ feature? –Can this be turned off? –Is the User logged in on loading the application? –Is the Home page/selected(Book Mark) screen presented to the User? –Where is this information saved?
Slide 9 Appendix – continued Does the password expire? –In how many days? (Say X) –Can the User set the value of X? –Can Administrator set “Password does not expire” for a User? Can End-of-Line Characters be allowed in between the User-Id/Password?
Slide 10 Contact Trigent 2 Willow Street, Suite #201 Southborough, MA USA TRIGENT