diff --git a/server/handler/link_auth_otp_test.go b/server/handler/link_auth_otp_test.go
index 8718667..b9eb269 100644
--- a/server/handler/link_auth_otp_test.go
+++ b/server/handler/link_auth_otp_test.go
@@ -259,13 +259,19 @@ func TestCreateSession(t *testing.T) {
 	preIpData()
 	defer closeIpdata()
 
+	base.Cfg.EnableBanner = true
+
+	other := &dbdata.SettingOther{Banner: "测试横幅内容"}
+	err := dbdata.SettingSet(other)
+	ast.Nil(err)
+
 	// 创建测试数据
 	group := "session-test-group"
 	username := "session-test-user"
 
 	dns := []dbdata.ValData{{Val: "8.8.8.8"}}
 	g := dbdata.Group{Name: group, Status: 1, ClientDns: dns}
-	err := dbdata.SetGroup(&g)
+	err = dbdata.SetGroup(&g)
 	ast.Nil(err)
 
 	u := dbdata.User{Username: username, Groups: []string{group}, Status: 1}
@@ -306,6 +312,15 @@ func TestCreateSession(t *testing.T) {
 	ast.Equal(http.StatusOK, w.Code)
 	// 验证响应包含会话信息
 	ast.Contains(w.Body.String(), "session-token")
+	ast.Contains(w.Body.String(), "测试横幅内容")
+
+	base.Cfg.EnableBanner = false
+
+	w2 := httptest.NewRecorder()
+	CreateSession(w2, req, authSession)
+
+	ast.Equal(http.StatusOK, w2.Code)
+	ast.NotContains(w2.Body.String(), "测试横幅内容")
 }
 
 func preIpData() {
diff --git a/server/handler/link_auth_test.go b/server/handler/link_auth_test.go
new file mode 100644
index 0000000..eee653a
--- /dev/null
+++ b/server/handler/link_auth_test.go
@@ -0,0 +1,65 @@
+package handler
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/bjdgyc/anylink/base"
+)
+
+func TestLinkAuth_AuthCert(t *testing.T) {
+	base.Test()
+
+	//	开启证书验证但未提供证书
+	base.Cfg.AuthCert = true
+	base.Cfg.AuthOnlyCert = true
+
+	req := httptest.NewRequest("POST", "/", strings.NewReader(`<?xml version="1.0" encoding="UTF-8"?><config-auth><type>auth-reply</type><auth><username>test</username><password>test</password></auth><group-select>default</group-select></config-auth>`))
+	req.Header.Set("User-Agent", "cisco anyconnect vpn agent")
+	req.Header.Set("X-Aggregate-Auth", "1")
+	req.Header.Set("X-Transcend-Version", "1")
+
+	w := httptest.NewRecorder()
+	LinkAuth(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Error()
+	}
+
+	// 开启证书验证但未提供证书，但证书验证失败
+	base.Cfg.AuthCert = true
+	base.Cfg.AuthOnlyCert = true
+
+	cert := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName:         "",
+			OrganizationalUnit: []string{""},
+		},
+	}
+	req.TLS = &tls.ConnectionState{
+		PeerCertificates: []*x509.Certificate{cert},
+	}
+
+	w = httptest.NewRecorder()
+	LinkAuth(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Error()
+	}
+
+	// 开启证书验证但未提供证书，未开启仅证书认证
+	base.Cfg.AuthCert = true
+	base.Cfg.AuthOnlyCert = false
+
+	w = httptest.NewRecorder()
+	LinkAuth(w, req)
+
+	if w.Code == http.StatusForbidden {
+		t.Error()
+	}
+}