Recommended practices for securing authentication flows in BetterForms.
Guidelines to help secure all authentication strategies.
Treat verification and reset tokens as secrets
Use short TTLs and enforce single-use, delete temp token from the database after redeeming
Do not log tokens; avoid storing them in cleartext
After validating a token from a URL, redirect to remove it from the address bar
Hash passwords server-side using a modern algorithm
Never transmit or store plaintext passwords
Enforce minimum complexity and length
On admin resets, force user to change password at next login or use a reset-link flow
Keep session duration short; rotate on privilege changes
Do not store sensitive user data in cookies
Require authentication for restricted pages
Validate required fields before running auth actions (e.g., email, password)
Surface errors to the user via model.authMessage when available
model.authMessage
Use onAuthNotifier script for sending verification and reset emails from your server
onAuthNotifier
Centralize business rules in onLogin and onRegistration where appropriate
onLogin
onRegistration
Monitor for repeated failures and lock or throttle as needed (roll your own)
Last updated 5 months ago
Was this helpful?
