Authentication: The Front Door of Your Application

Authentication is how your application verifies user identity. It is the most security-critical feature — every other security measure depends on authentication working correctly. A bug in authentication can expose every user’s data.

This lesson covers testing authentication flows (login, registration, password recovery) and session management (how the application tracks who you are after login).

Login Flow Testing

Happy Path

Start with the obvious: valid credentials should work.

  • Login with correct email and password
  • Verify redirect to the correct page (dashboard, home, or the page they were trying to access)
  • Verify the user’s name or avatar appears in the UI
  • Verify session is created (check cookies in DevTools)

Invalid Credentials

Test CaseExpected Behavior
Wrong passwordGeneric error: “Invalid email or password” (never reveal which is wrong)
Non-existent emailSame generic error as wrong password
Empty emailValidation error before submission
Empty passwordValidation error before submission
SQL injection in emailNo SQL error, generic validation message
XSS in email fieldInput sanitized, no script execution
Extremely long email (1000+ chars)Handled gracefully
Extremely long password (1000+ chars)Handled gracefully

Critical security note: The error message for wrong email vs. wrong password must be identical. Different messages allow attackers to enumerate valid accounts.

Brute Force Protection

Try logging in with wrong passwords repeatedly:

  1. After 3-5 failed attempts, does the system show a CAPTCHA?
  2. After 10+ attempts, is the account locked or rate-limited?
  3. Is there a cooldown period? How long?
  4. Does the lockout apply per IP, per account, or both?
  5. Can the lockout be bypassed by changing IP (using a VPN)?

Social Login (OAuth)

If the application supports Google, GitHub, Facebook login:

  • Does the OAuth flow redirect correctly?
  • What happens if the user denies permission?
  • Is the email from OAuth matched to an existing account?
  • What happens if the social provider is down?
  • Can the user link/unlink social accounts?

Registration Flow Testing

Account Creation

  • Valid registration with all required fields
  • Duplicate email — should reject with clear message
  • Password strength requirements — test just below each requirement
  • Email verification — does the confirmation link work?
  • Email verification link expiration — does it expire after a reasonable time?
  • Registration with already-confirmed email — what happens?

Email Verification

  1. Register a new account
  2. Check that the verification email arrives
  3. Click the verification link — account should activate
  4. Click the same link again — should show “already verified” or similar
  5. Try to login before verifying — should show appropriate message
  6. Request a new verification email — does it invalidate the old link?

Password Recovery Testing

Forgot Password Flow

  1. Request password reset for a valid email
  2. Verify email arrives within reasonable time
  3. Click the reset link — should show password reset form
  4. Set a new password — should succeed
  5. Login with new password — should work
  6. Login with old password — should fail
  7. Click the reset link again — should be expired

Security Edge Cases

TestExpected
Reset for non-existent emailSame message as valid email (prevent enumeration)
Multiple reset requestsOnly the latest link should work
Reset link after password changeLink should be invalidated
Reset link expiration (24h+)Link should expire
Reset link formatShould be unpredictable (long random token)

Session Management

Session Creation and Storage

After login, verify:

  • A session cookie is created
  • The cookie has Secure flag (HTTPS only)
  • The cookie has HttpOnly flag (not accessible to JavaScript)
  • The cookie has SameSite attribute
  • The session ID is sufficiently long and random (at least 128 bits)
  • The session ID changes after login (prevents session fixation)

Session Timeout

  • Idle timeout: After X minutes of inactivity, the session expires. Test by waiting and then performing an action.
  • Absolute timeout: After Y hours regardless of activity, the session expires. This limits damage from stolen sessions.
  • Timeout behavior: When the session expires, what happens? Redirect to login? Show a modal? Lose unsaved work?

Advanced Authentication Testing

Concurrent Sessions

Test what happens when the same user logs in from multiple locations:

  1. Login on Browser A
  2. Login on Browser B with the same account
  3. Perform an action on Browser A — is the session still valid?
  4. Does the application limit concurrent sessions?
  5. If sessions are limited, which session is terminated — the old one or the new one?
  6. Is the terminated session notified?

Remember Me Functionality

If the login form has a “Remember me” checkbox:

  • How long does the persistent session last? (Typically 30 days)
  • Is a separate persistent token used (not the session cookie)?
  • Can the user revoke all remembered sessions from their account settings?
  • Does “Remember me” survive browser restart?
  • Is the persistent token invalidated on password change?

Multi-Factor Authentication (MFA)

If the application supports MFA:

  • Does it work with authenticator apps (TOTP)?
  • Does it work with SMS codes?
  • What happens with an expired code?
  • What happens with a wrong code 3+ times?
  • Can MFA be bypassed by manipulating the request?
  • Are backup codes provided and do they work?
  • What happens if the user loses their MFA device?

Account Lockout Testing

  1. Trigger account lockout (multiple failed login attempts)
  2. Verify the lockout duration
  3. Can the user still reset their password while locked out?
  4. Does the lockout counter reset after successful login?
  5. Is the lockout per IP address, per account, or both?

Exercise: Authentication Security Audit

Perform a complete authentication audit on a web application:

  1. Registration: Create an account, try duplicates, test email verification
  2. Login: Test valid/invalid credentials, check error messages for enumeration leaks
  3. Session: Inspect cookies for security flags (Secure, HttpOnly, SameSite)
  4. Timeout: Wait for session expiration, verify behavior
  5. Password reset: Complete the flow, verify link expiration and old-password invalidation
  6. Concurrent sessions: Login from two browsers simultaneously
  7. Logout: Verify session destruction — press back button after logout, try to access authenticated pages

Document findings:

AreaTestFindingRisk
LoginError messagesDifferent for wrong email vs. wrong passwordHigh (enumeration)
SessionCookie flagsMissing HttpOnly flagHigh (XSS can steal session)
Password resetLink expirationLink works after 7 daysMedium
LogoutBack buttonShows cached authenticated pageMedium

Logout Testing

Logout is often under-tested:

  1. Click logout — verify redirect to login page
  2. Press browser back button — should NOT show authenticated content
  3. Try to access an authenticated URL directly — should redirect to login
  4. Check that session cookie is deleted or invalidated
  5. Check that server-side session is destroyed (not just cookie deletion)
  6. In a separate tab still open — what happens when you try to perform an action?

Key Takeaways

  • Authentication is the most security-critical feature — test it exhaustively
  • Login error messages must be generic to prevent account enumeration
  • Always verify session cookies have Secure, HttpOnly, and SameSite flags
  • Test session timeout both for idle and absolute durations
  • Password reset links must expire and invalidate after use
  • Session IDs must regenerate after login to prevent session fixation
  • Logout must destroy the session server-side, not just delete the cookie
  • Test concurrent sessions, MFA, and account lockout as part of authentication testing