Broken Access Control

Only web pages

Web pages, databases, and directories

Only databases

Directories and images

Neglecting server-side restrictions

Restricting access on both UI and server side

Using outdated authentication methods

Providing too many user accounts

Users can only access their own data

Attackers can gain admin rights

The application becomes faster

Users are logged out automatically

Securing only the UI interface

Keeping tokens active indefinitely

Allowing password changes without logout

Invalidating tokens and cookies after logout

To improve user experience

To ensure the user remembers their password

To prevent unauthorized access with old credentials

To reduce server load