Authentication

Secure Login Flow with AI Prompts

February 2026

TL;DR

A secure login flow needs rate limiting, account lockout, timing-safe comparisons, and secure session creation. These prompts help you implement brute force protection, credential stuffing defenses, and proper session management after successful authentication.

Rate Limiting and Brute Force Protection

Use this prompt to add brute force protection to your login endpoint. Your AI will generate rate limiting middleware with per-IP and per-username throttling, exponential backoff delays, and account lockout logic.

AI Prompt

Add Login Rate Limiting

Add rate limiting to my login endpoint to prevent brute force attacks.

Framework: Next.js/Express/FastAPI

Requirements:

  1. Limit login attempts per IP address
  2. Limit login attempts per username/email
  3. Progressive delays after failed attempts
  4. Account lockout after X failures
  5. CAPTCHA trigger after suspicious activity

Implement:

  • 5 attempts per minute per IP
  • 10 attempts per hour per username
  • Exponential backoff: 1s, 2s, 4s, 8s delays
  • Lock account for 15 minutes after 10 failures
  • Store attempt counts in Redis or in-memory

Return appropriate error messages that don't reveal if account exists.

Secure Credential Validation

Copy this prompt to have your AI review and fix timing attack vulnerabilities in your login function. You'll get constant-time password comparison, consistent response delays, and generic error messages that prevent account enumeration.

AI Prompt

Timing-Safe Login Check

Review my login function and fix timing attack vulnerabilities.

Current issues to check:

  1. Early return if user not found (timing leak)
  2. Non-constant-time password comparison
  3. Different response times for valid vs invalid users

Fix by:

  1. Always perform password hash comparison
  2. Use timing-safe comparison functions
  3. Add consistent response delay
  4. Same error message for all failure cases

Also ensure:

  • Password is hashed with bcrypt/argon2
  • Original password cleared from memory
  • Failed attempts are logged (without password)
  • Successful login creates secure session

Session Creation After Login

This prompt asks your AI to implement secure session creation after successful authentication. You'll get session ID generation, cookie configuration with HttpOnly/Secure/SameSite flags, and idle and absolute timeout handling.

AI Prompt

Secure Session Setup

After successful login, create a secure session properly.

Requirements:

  1. Generate cryptographically secure session ID
  2. Regenerate session ID on login (prevent fixation)
  3. Set secure cookie attributes
  4. Store minimal data in session
  5. Implement session timeout

Cookie settings needed:

  • HttpOnly: true
  • Secure: true (HTTPS only)
  • SameSite: Strict or Lax
  • Path: /
  • Max-Age or Expires

Also implement:

  • Absolute session timeout (e.g., 24 hours)
  • Idle timeout (e.g., 30 minutes)
  • Remember-me with separate long-lived token
  • Concurrent session limits (optional)

Never reveal account existence: Use the same error message and response time for "user not found" and "wrong password" to prevent account enumeration attacks.

Login Audit and Monitoring

Use this prompt to add comprehensive security logging to your login flow. Your AI will generate event tracking for successful and failed logins, account lockouts, and suspicious patterns like impossible travel detection.

AI Prompt

Login Security Logging

Add comprehensive security logging to my login flow.

Log these events:

  1. Successful logins (user, IP, user-agent, time)
  2. Failed logins (username attempted, IP, reason)
  3. Account lockouts triggered
  4. Password reset requests
  5. Suspicious patterns detected

For each event include:

  • Timestamp (UTC)
  • IP address
  • User agent
  • Geolocation (optional)
  • Request ID for correlation

Implement alerts for:

  • Login from new device/location
  • Multiple failed attempts
  • Impossible travel (login from different countries)
  • Credential stuffing patterns

Don't log: actual passwords, full session tokens

Pro tip: Consider using a dedicated auth service like Clerk, Auth0, or Supabase Auth. They handle these security concerns and stay updated with best practices.

Should I use JWT or sessions for login?

Sessions are simpler and more secure for traditional web apps. JWTs work better for APIs and mobile apps. If you're not sure, start with sessions stored server-side with a secure cookie.

How many login attempts before lockout?

Common practice is 5-10 failed attempts before a temporary lockout. Use progressive delays (exponential backoff) before full lockout to slow attackers while not frustrating legitimate users too much.

Further Reading

Want to understand the vulnerability before fixing it? These guides explain what's happening and why.

Related Articles

Add Password Hashing

Secure password storage

Add Session Security

Harden your sessions

Check Your Login Security

Scan your authentication flow for common vulnerabilities.

AI Fix Prompts

Secure Login Flow with AI Prompts