保護DataHogo
Security Encyclopedia/Auth Best Practices
infoCWE-778A09:2021

No Login Notification

Not notifying users of new logins means they have no way to know if their account was accessed from an unfamiliar device.

How It Works

Login notifications give users an early warning system. If an attacker logs in with stolen credentials, the victim gets an email or push notification from a new device or location — giving them a chance to revoke the session and change their password before damage is done.

Vulnerable Code
// BAD: login creates a session with no user notification
async function login(email: string, password: string) {
  const user = await verifyCredentials(email, password);
  const session = await createSession(user);
  return session.token; // user has no idea someone just logged in
}
Secure Code
// GOOD: notify user of new logins from unknown devices
async function login(email: string, password: string, deviceInfo: DeviceInfo) {
  const user = await verifyCredentials(email, password);
  const session = await createSession(user, deviceInfo);
  if (!isKnownDevice(user, deviceInfo)) {
    await sendLoginAlert(user.email, deviceInfo); // email with revoke link
  }
  return session.token;
}

Real-World Example

Google, Apple, and major banks all send login notifications for new devices. Security research consistently shows that login alerts enable users to detect and respond to account takeovers significantly faster than without them.

How to Prevent It

  • Send an email notification for every login from a new device or location
  • Include device type, approximate location, and a one-click session revoke link in the notification
  • Store known devices per user (hashed device fingerprint) so returning devices don't trigger alerts
  • Make login notifications configurable but default them to 'on'

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Password Policy

medium

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

CWE-521A07:2021

No Rate Limit on Login

medium

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

CWE-307A07:2021

No MFA/2FA

low

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

CWE-308A07:2021

No Email Verification

medium

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

CWE-358A07:2021