DEV Community

Cover image for Modern Browser Testing Is Mostly State Management
Markus Gasser
Markus Gasser

Posted on

Modern Browser Testing Is Mostly State Management

A lot of browser testing advice still sounds like it was written for simpler web apps.

Click a button. Fill a form. Assert that a message appears.

That still matters, but many real failures now happen before the user even reaches the main product flow.

Authentication, browser state, permissions, redirects, cookies, location, device trust, and session recovery can all change what the test sees. And when those things are unstable, even a well-written test can become unreliable.

Login flows are no longer simple

The old login flow was predictable.

You entered an email, entered a password, clicked “Log in,” and waited for the dashboard.

Modern authentication is much more complicated.

Products now use passkeys, WebAuthn, MFA, magic links, expiring codes, device-bound sessions, and recovery flows. That means a test is no longer just verifying a form. It is verifying whether the browser, the session, the identity provider, and the application all agree about who the user is.

That is why teams should think carefully about what to look for in a browser testing tool for WebAuthn, passkeys, and device-bound login flows.

The same applies to platforms that depend on MFA or session recovery. A good QA platform should make it realistic to test multi-step authentication, MFA, and session recovery without turning every test into a collection of brittle workarounds.

Email-based authentication is another source of hidden risk. Magic links, verification emails, and expiring codes are easy to overlook until a signup journey breaks in production. For that category, this Endtest review for testing email verification, magic links, and expiring codes without breaking the signup journey covers a useful set of concerns.

Browser permissions can make tests flaky

Permissions are another area where browser tests often fail for reasons that are not obvious.

Camera, microphone, location, and notification prompts depend on browser settings, previous state, operating system behavior, and the environment where the test runs.

That means a test can pass locally and fail in CI, even if the application code did not change.

Teams testing products with media, maps, notifications, or location-aware features should have a repeatable strategy for testing browser permissions for camera, microphone, location, and notifications without flaky runs.

This also connects to geo-specific behavior. A user in one country may see a cookie banner. Another may see a different landing page. Another may be blocked from a feature entirely.

If your application changes by region, then your test strategy needs to account for cookie consent, geo targeting, and region-specific entry paths. This guide on how to evaluate a browser testing platform for cookie consent, geo targeting, and region-specific entry paths is a good starting point.

Session rehydration is where many tests break

Redirects are another common source of false confidence.

A test might click a button, follow a redirect, and then fail because the frontend state was not rehydrated yet. Or because a token refreshed. Or because the app rebuilt the session in a slightly different order.

From the user’s perspective, the app may still work. From the test’s perspective, everything looks unstable.

That is why it helps to know how to debug browser tests that fail only after a full-page redirect and session rehydration.

Feature flags and remote config create a similar problem. Your staging environment may not really match production. A flag might be enabled for one role, disabled for another, or configured differently across environments.

When that happens, the browser test may be blamed even though the real issue is configuration drift. This article explains why browser tests fail in staging after feature flag and remote config drift.

Role switching exposes hidden product risk

Role-based products are especially tricky.

A normal user, admin, manager, reviewer, support agent, and owner may all see different navigation, different data, and different actions.

The test suite needs to verify not only that each role works, but that permissions do not drift over time. Hidden admin paths and role switching bugs are exactly the kind of issues that basic happy-path tests miss.

For teams dealing with those flows, this Endtest review for teams testing web apps with role switching, permission drift, and hidden admin paths is relevant.

The lesson

The hard part of modern browser testing is not always the click.

It is the state around the click.

Who is the user? What region are they in? What browser permissions exist? Which feature flags are active? Did the session rehydrate? Did the token refresh? Is this the right role?

A reliable test suite needs to control or observe those things.

Otherwise, the team ends up debugging symptoms instead of the real source of instability.

Top comments (0)