Advanced Security

Authentication Security

Password hashing, session management, and MFA implementation.

Protecting User Identity

Authentication is the most attacked surface of web applications. Implement it correctly.

Password Security

Hash with bcrypt (cost 12+) or Argon2id
Never store plaintext passwords
Enforce minimum complexity
Check against breached password lists

import bcrypt from 'bcrypt';

const hash = await bcrypt.hash(password, 12);
const valid = await bcrypt.compare(password, hash);

Session Security

Use secure, httpOnly, sameSite cookies
Regenerate session ID after login
Implement session timeouts
Invalidate all sessions on password change

Set-Cookie: session=abc123;
  HttpOnly;
  Secure;
  SameSite=Lax;
  Path=/;
  Max-Age=86400

Multi-Factor Authentication

TOTP apps (Google Authenticator)
WebAuthn/Passkeys (best option)
SMS (vulnerable but better than nothing)
Recovery codes for account recovery

Additional Resources