These insecure demos highlight common auth design mistakes: no rate limits, session fixation, predictable reset tokens, weak/bypassable MFA, and insecure remember-me.
Uses shared DB tables (a07_*). Seed data in db/seed.sql.
Compare with the Secure version.
Vulnerable idea: unlimited attempts, generic error messages, no jitter/backoff. "alice@example.com/alice@example.com"
Vulnerable idea: don’t rotate the session ID on login and set cookies without
HttpOnly, Secure, or proper SameSite.
Vulnerable idea: predictable tokens, stored in plaintext, long TTL, and multi-use.
Vulnerable idea: mark MFA “passed” via query flag/cookie or accept trivial codes (e.g., 000000).
Vulnerable idea: store user_id or raw token in cookie; trust it blindly forever.