[{"data":1,"prerenderedAt":407},["ShallowReactive",2],{"blog-prompts/secure-login-flow":3},{"id":4,"title":5,"body":6,"category":386,"date":387,"dateModified":388,"description":389,"draft":390,"extension":391,"faq":392,"featured":390,"headerVariant":393,"image":392,"keywords":392,"meta":394,"navigation":395,"ogDescription":396,"ogTitle":392,"path":397,"readTime":392,"schemaOrg":398,"schemaType":399,"seo":400,"sitemap":401,"stem":402,"tags":403,"twitterCard":405,"__hash__":406},"blog/blog/prompts/secure-login-flow.md","Secure Login Flow with AI Prompts",{"type":7,"value":8,"toc":376},"minimark",[9,16,21,24,84,88,91,145,149,152,214,224,228,231,297,306,322,326,329,350,364],[10,11,12],"tldr",{},[13,14,15],"p",{},"A secure login flow needs rate limiting, account lockout, timing-safe comparisons, and secure session creation. These prompts help you implement brute force protection, credential stuffing defenses, and proper session management after successful authentication.",[17,18,20],"h2",{"id":19},"rate-limiting-and-brute-force-protection","Rate Limiting and Brute Force Protection",[13,22,23],{},"Use this prompt to add brute force protection to your login endpoint. Your AI will generate rate limiting middleware with per-IP and per-username throttling, exponential backoff delays, and account lockout logic.",[25,26,28,31,38,41,60,63,81],"prompt-box",{"title":27},"Add Login Rate Limiting",[13,29,30],{},"Add rate limiting to my login endpoint to prevent brute force attacks.",[13,32,33,34],{},"Framework: ",[35,36,37],"span",{},"Next.js/Express/FastAPI",[13,39,40],{},"Requirements:",[42,43,44,48,51,54,57],"ol",{},[45,46,47],"li",{},"Limit login attempts per IP address",[45,49,50],{},"Limit login attempts per username/email",[45,52,53],{},"Progressive delays after failed attempts",[45,55,56],{},"Account lockout after X failures",[45,58,59],{},"CAPTCHA trigger after suspicious activity",[13,61,62],{},"Implement:",[64,65,66,69,72,75,78],"ul",{},[45,67,68],{},"5 attempts per minute per IP",[45,70,71],{},"10 attempts per hour per username",[45,73,74],{},"Exponential backoff: 1s, 2s, 4s, 8s delays",[45,76,77],{},"Lock account for 15 minutes after 10 failures",[45,79,80],{},"Store attempt counts in Redis or in-memory",[13,82,83],{},"Return appropriate error messages that don't reveal if account exists.",[17,85,87],{"id":86},"secure-credential-validation","Secure Credential Validation",[13,89,90],{},"Copy this prompt to have your AI review and fix timing attack vulnerabilities in your login function. You'll get constant-time password comparison, consistent response delays, and generic error messages that prevent account enumeration.",[25,92,94,97,100,111,114,128,131],{"title":93},"Timing-Safe Login Check",[13,95,96],{},"Review my login function and fix timing attack vulnerabilities.",[13,98,99],{},"Current issues to check:",[42,101,102,105,108],{},[45,103,104],{},"Early return if user not found (timing leak)",[45,106,107],{},"Non-constant-time password comparison",[45,109,110],{},"Different response times for valid vs invalid users",[13,112,113],{},"Fix by:",[42,115,116,119,122,125],{},[45,117,118],{},"Always perform password hash comparison",[45,120,121],{},"Use timing-safe comparison functions",[45,123,124],{},"Add consistent response delay",[45,126,127],{},"Same error message for all failure cases",[13,129,130],{},"Also ensure:",[64,132,133,136,139,142],{},[45,134,135],{},"Password is hashed with bcrypt/argon2",[45,137,138],{},"Original password cleared from memory",[45,140,141],{},"Failed attempts are logged (without password)",[45,143,144],{},"Successful login creates secure session",[17,146,148],{"id":147},"session-creation-after-login","Session Creation After Login",[13,150,151],{},"This prompt asks your AI to implement secure session creation after successful authentication. You'll get session ID generation, cookie configuration with HttpOnly/Secure/SameSite flags, and idle and absolute timeout handling.",[25,153,155,158,160,177,180,197,200],{"title":154},"Secure Session Setup",[13,156,157],{},"After successful login, create a secure session properly.",[13,159,40],{},[42,161,162,165,168,171,174],{},[45,163,164],{},"Generate cryptographically secure session ID",[45,166,167],{},"Regenerate session ID on login (prevent fixation)",[45,169,170],{},"Set secure cookie attributes",[45,172,173],{},"Store minimal data in session",[45,175,176],{},"Implement session timeout",[13,178,179],{},"Cookie settings needed:",[64,181,182,185,188,191,194],{},[45,183,184],{},"HttpOnly: true",[45,186,187],{},"Secure: true (HTTPS only)",[45,189,190],{},"SameSite: Strict or Lax",[45,192,193],{},"Path: /",[45,195,196],{},"Max-Age or Expires",[13,198,199],{},"Also implement:",[64,201,202,205,208,211],{},[45,203,204],{},"Absolute session timeout (e.g., 24 hours)",[45,206,207],{},"Idle timeout (e.g., 30 minutes)",[45,209,210],{},"Remember-me with separate long-lived token",[45,212,213],{},"Concurrent session limits (optional)",[215,216,217],"warning-box",{},[13,218,219,223],{},[220,221,222],"strong",{},"Never reveal account existence:"," Use the same error message and response time for \"user not found\" and \"wrong password\" to prevent account enumeration attacks.",[17,225,227],{"id":226},"login-audit-and-monitoring","Login Audit and Monitoring",[13,229,230],{},"Use this prompt to add comprehensive security logging to your login flow. Your AI will generate event tracking for successful and failed logins, account lockouts, and suspicious patterns like impossible travel detection.",[25,232,234,237,240,257,260,277,280,294],{"title":233},"Login Security Logging",[13,235,236],{},"Add comprehensive security logging to my login flow.",[13,238,239],{},"Log these events:",[42,241,242,245,248,251,254],{},[45,243,244],{},"Successful logins (user, IP, user-agent, time)",[45,246,247],{},"Failed logins (username attempted, IP, reason)",[45,249,250],{},"Account lockouts triggered",[45,252,253],{},"Password reset requests",[45,255,256],{},"Suspicious patterns detected",[13,258,259],{},"For each event include:",[64,261,262,265,268,271,274],{},[45,263,264],{},"Timestamp (UTC)",[45,266,267],{},"IP address",[45,269,270],{},"User agent",[45,272,273],{},"Geolocation (optional)",[45,275,276],{},"Request ID for correlation",[13,278,279],{},"Implement alerts for:",[64,281,282,285,288,291],{},[45,283,284],{},"Login from new device/location",[45,286,287],{},"Multiple failed attempts",[45,289,290],{},"Impossible travel (login from different countries)",[45,292,293],{},"Credential stuffing patterns",[13,295,296],{},"Don't log: actual passwords, full session tokens",[298,299,300],"tip-box",{},[13,301,302,305],{},[220,303,304],{},"Pro tip:"," Consider using a dedicated auth service like Clerk, Auth0, or Supabase Auth. They handle these security concerns and stay updated with best practices.",[307,308,309,316],"faq-section",{},[310,311,313],"faq-item",{"question":312},"Should I use JWT or sessions for login?",[13,314,315],{},"Sessions are simpler and more secure for traditional web apps. JWTs work better for APIs and mobile apps. If you're not sure, start with sessions stored server-side with a secure cookie.",[310,317,319],{"question":318},"How many login attempts before lockout?",[13,320,321],{},"Common practice is 5-10 failed attempts before a temporary lockout. Use progressive delays (exponential backoff) before full lockout to slow attackers while not frustrating legitimate users too much.",[17,323,325],{"id":324},"further-reading","Further Reading",[13,327,328],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[64,330,331,338,344],{},[45,332,333],{},[334,335,337],"a",{"href":336},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[45,339,340],{},[334,341,343],{"href":342},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[45,345,346],{},[334,347,349],{"href":348},"/blog/best-practices/secrets","Secret management best practices",[351,352,353,359],"related-articles",{},[354,355],"related-card",{"description":356,"href":357,"title":358},"Secure password storage","/blog/prompts/add-password-hashing","Add Password Hashing",[354,360],{"description":361,"href":362,"title":363},"Harden your sessions","/blog/prompts/add-session-security","Add Session Security",[365,366,369,373],"cta-box",{"href":367,"label":368},"/","Start Free Scan",[17,370,372],{"id":371},"check-your-login-security","Check Your Login Security",[13,374,375],{},"Scan your authentication flow for common vulnerabilities.",{"title":377,"searchDepth":378,"depth":378,"links":379},"",2,[380,381,382,383,384,385],{"id":19,"depth":378,"text":20},{"id":86,"depth":378,"text":87},{"id":147,"depth":378,"text":148},{"id":226,"depth":378,"text":227},{"id":324,"depth":378,"text":325},{"id":371,"depth":378,"text":372},"prompts","2026-02-26","2026-03-06","AI prompts to secure your login flow. Implement rate limiting, account lockout, secure session creation, and protection against brute force attacks.",false,"md",null,"cyan",{},true,"AI prompts to harden your authentication login flow against attacks.","/blog/prompts/secure-login-flow","[object Object]","BlogPosting",{"title":5,"description":389},{"loc":397},"blog/prompts/secure-login-flow",[404],"Authentication","summary_large_image","jngxmBy-nUrDV27ssau8b-26J6jkVgfKwZqZVrZkSMQ",1775843938149]