Auth Security Reviewer

Comprehensive security review of authentication systems.

Session Security Checklist

// ❌ INSECURE Session Configuration
app.use(
  session({
    secret: "weak-secret", // Too simple
    resave: true, // Unnecessary
    saveUninitialized: true, // Creates unnecessary sessions
    cookie: {
      secure: false, // Not HTTPS-only
      httpOnly: false, // Accessible via JavaScript
      sameSite: false, // CSRF vulnerable
      maxAge: 365 * 24 * 60 * 60 * 1000, // 1 year - too long
    },