TL;DR
A secure login flow needs rate limiting, account lockout, timing-safe comparisons, and secure session creation. These prompts help you implement brute force protection, credential stuffing defenses, and proper session management after successful authentication.
Rate Limiting and Brute Force Protection
Add rate limiting to my login endpoint to prevent brute force attacks.
Framework: Next.js/Express/FastAPI
Requirements:
- Limit login attempts per IP address
- Limit login attempts per username/email
- Progressive delays after failed attempts
- Account lockout after X failures
- CAPTCHA trigger after suspicious activity
Implement:
- 5 attempts per minute per IP
- 10 attempts per hour per username
- Exponential backoff: 1s, 2s, 4s, 8s delays
- Lock account for 15 minutes after 10 failures
- Store attempt counts in Redis or in-memory
Return appropriate error messages that don't reveal if account exists.
Secure Credential Validation
Review my login function and fix timing attack vulnerabilities.
Current issues to check:
- Early return if user not found (timing leak)
- Non-constant-time password comparison
- Different response times for valid vs invalid users
Fix by:
- Always perform password hash comparison
- Use timing-safe comparison functions
- Add consistent response delay
- Same error message for all failure cases
Also ensure:
- Password is hashed with bcrypt/argon2
- Original password cleared from memory
- Failed attempts are logged (without password)
- Successful login creates secure session
Session Creation After Login
After successful login, create a secure session properly.
Requirements:
- Generate cryptographically secure session ID
- Regenerate session ID on login (prevent fixation)
- Set secure cookie attributes
- Store minimal data in session
- Implement session timeout
Cookie settings needed:
- HttpOnly: true
- Secure: true (HTTPS only)
- SameSite: Strict or Lax
- Path: /
- Max-Age or Expires
Also implement:
- Absolute session timeout (e.g., 24 hours)
- Idle timeout (e.g., 30 minutes)
- Remember-me with separate long-lived token
- Concurrent session limits (optional)
Never reveal account existence: Use the same error message and response time for "user not found" and "wrong password" to prevent account enumeration attacks.
Login Audit and Monitoring
Add comprehensive security logging to my login flow.
Log these events:
- Successful logins (user, IP, user-agent, time)
- Failed logins (username attempted, IP, reason)
- Account lockouts triggered
- Password reset requests
- Suspicious patterns detected
For each event include:
- Timestamp (UTC)
- IP address
- User agent
- Geolocation (optional)
- Request ID for correlation
Implement alerts for:
- Login from new device/location
- Multiple failed attempts
- Impossible travel (login from different countries)
- Credential stuffing patterns
Don't log: actual passwords, full session tokens
Pro tip: Consider using a dedicated auth service like Clerk, Auth0, or Supabase Auth. They handle these security concerns and stay updated with best practices.
Should I use JWT or sessions for login?
Sessions are simpler and more secure for traditional web apps. JWTs work better for APIs and mobile apps. If you're not sure, start with sessions stored server-side with a secure cookie.
How many login attempts before lockout?
Common practice is 5-10 failed attempts before a temporary lockout. Use progressive delays (exponential backoff) before full lockout to slow attackers while not frustrating legitimate users too much.