Authentication is hard. And that's exactly why you should never have to be writing your own auth code, but rather, use existing frameworks.<p>There's so many tiny details and edge cases that can have such catastrophic results, it's too much of a risk to do it yourself. Unless writing auth frameworks is your job, for course.
> Stack Overflow isn’t of too much help, as developer relations from a company called Stormpath loved plugging their IaaS startup on every imaginable post regarding this. Their documentation also popped up everywhere and they have a blogvertisement on password reset, as well. However, all of this is for naught as Stormpath is defunct, and it shuts down entirely August 17, 2017.<p>I remember these guys and I had a serious argument back them with one of the. I pity companies who bought into their services and depend on it today. People often push the idea that security and ID management should be "outsourced". They shouldn't, security audits should.