Back to problems
Auth System Design (Sessions & Tokens Guide)
Scenario
You’re building username/password auth with sessions for web and mobile: sign-up, login, logout, optional remember device, and password reset—while attackers run credential stuffing, brute force, and session theft against you every day. The interview rewards threat modeling and boring crypto hygiene, not inventing a new token format.
Design authentication for an application: sign-up, login, session handling, and logout, suitable for browser and API clients.
Constraints
Functional
Register with email/username + password; login; logout; optional “remember this device”; password reset flow (high level)
Non-functional
Industry-standard password handling; low latency auth check; resilience if session store degrades
Scale
Millions of users; high read volume on session validation
Stages ahead
1Requirement Analysis
2API Design
3High-Level Design
4HLD Extensions
5Trade-offs