C1. Login basics
What this page helps you do
Think through the first login and session basics before launch.
Why it matters
Login bugs can become account-takeover bugs fast.
You should already have
- an app with user accounts
Skip this page if
- your app has no user accounts
Then go to B11. No user accounts.
What to do
- use a trusted auth approach
- protect sessions and reset flows
- make admin access clearly separate if needed
Recommended default
Use a well-known auth library or provider instead of building login flows from scratch.
Common mistakes
- rolling your own auth too early
- weak password reset flows
- admin users sharing normal login paths with no extra protection
Next step
Go to C2. Protect admin pages.
Related pages
Advanced notes
TODO for contributors: add a beginner-friendly note on sessions versus tokens without diving into protocol details.