Auth & Sessions (Advanced)

The server reuses the same session ID before and after login, allowing an attacker who planted a known session ID to hijack the authenticated session.

Login endpoints with no rate limiting or lockout mechanism, allowing attackers to try unlimited username and password combinations until they find valid credentials.

No minimum length, complexity, or common-password requirements on registration or password change, making user accounts easily brute-forced or guessed.

OAuth authorization flow implemented without a random `state` parameter, allowing CSRF attacks that link a victim's account to the attacker's OAuth identity.

JWT or session tokens remain valid after a user logs out because there is no server-side revocation mechanism, allowing stolen tokens to be used indefinitely.

Active sessions remain valid after a user changes their password, leaving attackers who already compromised a session with continued access even after the user takes remediation action.

Persistent 'remember me' tokens that are predictable, non-expiring, or stored insecurely — allowing attackers to forge tokens or maintain access indefinitely after compromise.

Password reset tokens without expiration, single-use enforcement, or proper randomness — allowing attackers to use leaked or guessable reset links to take over accounts.

Login or password reset endpoints returning different error messages for 'email not found' vs 'wrong password', allowing attackers to confirm which email addresses are registered.