What are auth & session flaws?
Auth and session flaws are weaknesses in how your app verifies who someone is and keeps them logged in. This includes everything from the login form itself to how session tokens are generated, stored, and expired. When any link in that chain is weak, an attacker can impersonate real users — or skip authentication entirely.
These flaws are especially dangerous because they sit at the front door. A broken access control bug might leak one user's data. A broken login lets an attacker become any user they want. In AI-generated apps, auth code often looks right — it handles the happy path perfectly — but crumbles under adversarial input.
How it looks in code
Here's a login handler that AI tools commonly generate. It works in testing — you type an email and password, you get a token. But it has three critical flaws stacked on top of each other.
// AI-generated login handler
app.post('/api/login', async (req, res) => {
const { email, password } = req.body;
// String concatenation — classic SQL injection
const user = await db.query(
`SELECT * FROM users WHERE email = '${email}'
AND password = '${password}'`
);
if (user.rows.length > 0) {
// Predictable token — just base64 of the user ID
const token = Buffer.from(user.rows[0].id.toString())
.toString('base64');
res.json({ token });
}
});// Secure login handler
app.post('/api/login', async (req, res) => {
// Rate limiting first
const attempts = await rateLimiter.get(req.ip);
if (attempts > 5) return res.status(429).json({ error: 'Too many attempts' });
const { email, password } = req.body;
// Parameterized query — no injection possible
const user = await db.query(
'SELECT * FROM users WHERE email = $1',
[email]
);
if (user.rows.length === 0) return res.status(401).json({ error: 'Invalid credentials' });
// bcrypt comparison — not plaintext
const valid = await bcrypt.compare(password, user.rows[0].password_hash);
if (!valid) return res.status(401).json({ error: 'Invalid credentials' });
// Cryptographically random token
const token = crypto.randomBytes(32).toString('hex');
await sessions.create({ token, userId: user.rows[0].id, expiresAt: Date.now() + 3600000 });
res.json({ token });
});Why AI tools generate this
Auth is one of the most common things people ask AI to build. It's also one of the hardest to get right, because security depends on multiple layers working together.
- Training data is full of shortcuts. Most code examples online skip rate limiting, use plaintext passwords, and concatenate SQL. AI models learn from what they see most often.
- Auth is multi-layered — AI sees one layer at a time. A secure login needs parameterized queries, hashed passwords, rate limiting, secure token generation, and proper session expiry. AI tools handle each prompt in isolation. They build the query without thinking about the token, and generate the token without thinking about expiry.
- The "it works" trap. A login handler with SQL concatenation and base64 tokens works perfectly in testing. You log in, you get a token, the app loads. The flaws only show up when someone intentionally tries to break it.
Common patterns
Login bypass via SQL injection
String concatenation in login queries lets attackers pass ' OR 1=1 -- as a username and skip password checks entirely. The most common auth flaw in AI-generated code.
Weak or predictable session tokens
Base64-encoded user IDs, sequential numbers, or timestamps as session tokens. If an attacker can guess the pattern, they can forge a session for any user.
Missing brute-force protection
No rate limiting on login endpoints. An attacker can try thousands of passwords per minute. AI tools almost never add rate limiting unless you explicitly ask.
Password reset flow vulnerabilities
Predictable reset tokens, no expiry on reset links, or reset endpoints that confirm whether an email exists. Each one gives attackers a foothold.
How Flowpatrol detects it
Flowpatrol doesn't read your source code. It tests your live app the same way an attacker would — from the outside, with no special access.
- 1Probes login endpoints with injection payloads. Flowpatrol sends crafted inputs — SQL injection strings, NoSQL operators, authentication bypass patterns — to every login and auth endpoint it discovers.
- 2Analyzes token entropy and structure. It collects session tokens from multiple logins and checks for patterns. Low entropy, sequential values, or decodable payloads without signatures all get flagged.
- 3Tests rate limiting behavior. Flowpatrol sends rapid repeated requests to login endpoints and measures the response. No slowdown after 10+ failed attempts? That gets reported.
- 4Maps the full auth surface. Password reset, registration, OAuth callbacks, session refresh — every auth-related endpoint gets tested for the same classes of flaws.
Check your app for auth flaws.
Paste your URL. Flowpatrol tests your login, sessions, and auth flows in minutes — not hours.
Try it free