My first post pointing to a short article I wrote a few days ago about good practices for authentication in web applications.
https://thecibrax.com/good-practices-for-user-authentication-in-web-applications
https://thecibrax.com/good-practices-for-user-authentication-in-web-applications