Authentication Best Practices
Easyβ’
Authentication is fundamental to web security. Following best practices prevents common vulnerabilities and ensures user data protection.
Quick Navigation: Understanding Authentication Flow β’ Password Security β’ Session Management β’ Authentication Methods Comparison β’ Best Practices for Implementation
Quick Decision Guide
Quick Implementation Guide:
Password Hashing: Use bcrypt: const hash = await bcrypt.hash(password, 10). Never store plain passwords.
JWT Tokens: Use for stateless auth: jwt.sign({ userId }, SECRET, { expiresIn: '24h' }). Store in httpOnly cookie or localStorage (less secure).
Sessions: Use secure, httpOnly cookies: cookie: { secure: true, httpOnly: true, sameSite: 'strict' }
Rate Limiting: Prevent brute force: rateLimit({ windowMs: 15<em>60</em>1000, max: 5 }) on login endpoints.
Password Requirements: Minimum 8 chars, require complexity, check against common passwords list.
Security Checklist: - β Hash passwords with salt (bcrypt/Argon2) - β Use HTTPS only - β HttpOnly cookies for sessions - β Rate limit login attempts - β Regenerate session ID after login - β Set token expiration (24h max for JWTs)
Never: Store plain passwords, trust client validation, or put tokens in URLs.
Understanding Authentication Flow
Overview of Authentication
Authentication verifies who a user is. It's the process of confirming a user's identity before granting access to protected resources.
Figure 1: Authentication Flow
βββββββββββββββ ββββββββββββββββ βββββββββββββββ
β User β β Server β β Database β
β Browser β β β β β
ββββββββ¬βββββββ ββββββββ¬ββββββββ ββββββββ¬βββββββ
β β β
β 1. Submit Credentials β β
β (username/password)β β
ββββββββββββββββββββββββ> β
β β β
β β 2. Query User β
β βββββββββββββββββββββββββ>
β β β
β β <βββββββββββββββββββββββ
β β User Record β
β β β
β β 3. Verify Password β
β β (compare hash) β
β β β
β β β
β β 4. Generate Token/ β
β β Session β
β β β
β <βββββββββββββββββββββββ β
β Token/Session β β
β β β
β 5. Store Token β β
β (cookie/localStorage)β β
β β βAuthentication Methods
1. Password-Based Authentication
β’Most common method
β’Username + password combination
β’Requires secure password storage
2. Token-Based Authentication (JWT)
β’Stateless authentication
β’Token contains user claims
β’No server-side session storage needed
3. OAuth 2.0
β’Third-party authentication
β’Delegated authorization
β’Used by Google, GitHub, etc.
4. Multi-Factor Authentication (MFA)
β’Multiple verification factors
β’Something you know (password)
β’Something you have (phone, hardware token)
β’Something you are (biometric)
Password Security
Never Store Plain Text Passwords
Figure 2: Password Storage Comparison
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Password Storage Methods β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β β Plain Text (DANGEROUS) β
β ββββββββββββββββββββββββββββββββββββββββ β
β β Password: "mypassword123" β β
β β Stored: "mypassword123" β β
β β β β
β β Risk: Immediate access if DB leaked β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β
β β Basic Hashing (VULNERABLE) β
β ββββββββββββββββββββββββββββββββββββββββ β
β β Password: "mypassword123" β β
β β Hash: SHA256("mypassword123") β β
β β β β
β β Risk: Rainbow table attacks β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β
β β
Salted Hashing (SECURE) β
β ββββββββββββββββββββββββββββββββββββββββ β
β β Password: "mypassword123" β β
β β Salt: "random_salt_abc123" β β
β β Hash: bcrypt(password + salt) β β
β β β β
β β Safe: Unique hash per password β β
β ββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββPassword Hashing Process
Figure 3: Password Hashing Flow
βββββββββββββββ ββββββββββββββββ βββββββββββββββ
β User β β Server β β Database β
β Registrationβ β β β β
ββββββββ¬βββββββ ββββββββ¬ββββββββ ββββββββ¬βββββββ
β β β
β 1. Submit Password β β
ββββββββββββββββββββββββ> β
β β β
β β 2. Generate Salt β
β β (random) β
β β β
β β 3. Hash Password β
β β bcrypt(password + salt)β
β β β
β β 4. Store Hash + Salt β
β βββββββββββββββββββββββββ>
β β β
β <βββββββββββββββββββββββ β
β Success β β
β β βUse Hashing Algorithm:
β’bcrypt (recommended) - Adaptive hashing, slow by design
β’Argon2 (modern, more secure) - Winner of Password Hashing Competition
β’scrypt (good alternative) - Memory-hard function
Salt Passwords:
β’Add random salt to each password
β’Prevents rainbow table attacks
β’Each password hash is unique (even same password = different hash)
Password Requirements
β’Minimum length: 8-12 characters
β’Require complexity: uppercase, lowercase, numbers, symbols
β’Check against common passwords: Use password strength checker
β’Implement rate limiting: Prevent brute force attacks on login attempts
Session Management
Session vs Token-Based Authentication
Figure 4: Session-Based Authentication Flow
βββββββββββββββ ββββββββββββββββ βββββββββββββββ
β User β β Server β β Session β
β Browser β β β β Store β
ββββββββ¬βββββββ ββββββββ¬ββββββββ ββββββββ¬βββββββ
β β β
β 1. Login β β
ββββββββββββββββββββββββ> β
β β β
β β 2. Create Session β
β βββββββββββββββββββββββββ>
β β β
β β <βββββββββββββββββββββββ
β β Session ID β
β β β
β <βββββββββββββββββββββββ β
β Session Cookie β β
β (sessionId) β β
β β β
β 3. Request with Cookieβ β
ββββββββββββββββββββββββ> β
β β β
β β 4. Validate Session β
β βββββββββββββββββββββββββ>
β β β
β β <βββββββββββββββββββββββ
β β Session Data β
β β β
β <βββββββββββββββββββββββ β
β Authorized β β
β β βFigure 5: Token-Based Authentication Flow (JWT)
βββββββββββββββ ββββββββββββββββ
β User β β Server β
β Browser β β β
ββββββββ¬βββββββ ββββββββ¬ββββββββ
β β
β 1. Login β
ββββββββββββββββββββββββ>
β β
β β 2. Generate JWT β
β β (signed token) β
β β β
β <βββββββββββββββββββββββ β
β JWT Token β β
β (contains user info)β β
β β β
β 3. Store Token β β
β (localStorage/cookie)β β
β β β
β 4. Request with Token β β
ββββββββββββββββββββββββ> β
β β β
β β 5. Verify Token β
β β (check signature) β
β β β
β <βββββββββββββββββββββββ β
β Authorized β β
β β β| Aspect | Server-Side Sessions | Token-Based (JWT) |
|---|---|---|
| Storage | Server-side | Client-side |
| Scalability | Requires shared storage | Stateless |
| Revocation | Easy (delete session) | Hard (wait for expiry) |
| Security | More secure | Less secure (if stolen) |
| Use Case | Traditional apps | Microservices, APIs |
res.cookie('session', sessionId, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 24 * 60 * 60 * 1000 // 24 hours
});Authentication Methods Comparison
| Method | Security | Complexity | Use Case |
|---|---|---|---|
| Password-Based | βββ Medium | Low | Most common, simple apps |
| JWT Tokens | ββββ High | Medium | APIs, microservices |
| OAuth 2.0 | βββββ Highest | High | Third-party login |
| MFA | βββββ Highest | High | Sensitive accounts |
Best Practices for Implementation
Security Checklist
Password Security:
β’β
Hash passwords with salt (bcrypt/Argon2)
β’β
Never store plain text passwords
β’β
Enforce password complexity requirements
β’β
Check against common passwords list
β’β
Implement password reset securely
Rate Limiting:
β’β
Limit login attempts (e.g., 5 attempts per 15 minutes)
β’β
Implement account lockout after failed attempts
β’β
Use CAPTCHA after multiple failures
Session Management:
β’β
Use httpOnly cookies for sessions
β’β
Set secure flag (HTTPS only)
β’β
Implement session expiration
β’β
Regenerate session ID after login
β’β
Implement session invalidation on logout
Token Security:
β’β
Set token expiration (24h max for JWTs)
β’β
Use refresh tokens for long-lived sessions
β’β
Store tokens securely (httpOnly cookies preferred)
β’β
Never put tokens in URLs
β’β
Implement token revocation
General Security:
β’β
Use HTTPS only
β’β
Validate all input server-side
β’β
Never trust client-side validation
β’β
Implement CSRF protection
β’β
Log authentication events
Common Mistakes to Avoid
Mistake 1: Storing plain text passwords
β’β
password: "mypassword123"β’β
passwordHash: bcrypt.hash("mypassword123", salt)Mistake 2: Not rate limiting login
β’β Unlimited login attempts
β’β
Rate limit: 5 attempts per 15 minutes
Mistake 3: Weak session management
β’β Session cookies without httpOnly flag
β’β
httpOnly: true, secure: true, sameSite: 'strict'Mistake 4: Long-lived tokens
β’β JWT with no expiration
β’β
JWT with 24h expiration + refresh token
Mistake 5: Trusting client validation
β’β Only client-side password validation
β’β
Always validate server-side
Key Takeaways
1Never store passwords in plain text - always hash
2Use bcrypt or Argon2 for password hashing
3Implement rate limiting to prevent brute force
4Use httpOnly and secure cookies for sessions
5Implement token expiration and refresh mechanisms
6Consider multi-factor authentication for sensitive accounts