Auth

Session vs Token

• Server sessions: simpler, instant revocation, requires session store—good for traditional web apps
• Stateless tokens (JWT): scalable, no shared state—good for APIs, microservices, mobile
• Hybrid: session for web, tokens for API—often the practical choice
• Session cookies with httpOnly + Secure + SameSite=Lax for CSRF protection

Password Handling

• Hash with bcrypt (cost 10-12), Argon2id, or scrypt—never MD5, SHA1, or plain SHA256
• Never store plaintext, encrypted passwords, or reversible hashes
• Salt is included in bcrypt/argon2 output—don't manage separately
• Timing-safe comparison for password verification—prevents timing attacks

Multi-Factor Authentication