HOW TO BUILD AND SECURE A SECURE FLASK LOGIN SYSTEM

WHY I BUILD THIS

As a cybersecurity student and a enthusiastic developer aiming for real life projects . I want to understand how login system works under the hood, how they're broken and fixed.
More importantly you can learn how secure a flask login system can be 💡(AND A BASIC BEGINNER FRINEDLY REAL WORLD PROJECT FOR DEV BEGINNERS )

WHAT I USED ⚠

• Python 3.11
• Flask -> Web framework
• SQlite -> For lightweight Db
• Html and Bootstrap -> For Frontend
• Werkzeug -> For password hashing
• Security Extras :- 1.Input sanitization 2.Hashed passwords 3.Basic session management

STEP BY STEP: BUILDING THE LOGIN SYSTEM >>>
project setup:-
pip install flask
mkdir flask-login-app
cd flask-login-app
touch app.py

MINIMAL FLASK LOGIN SYSTEM :
from flask import Flask, render_template,request,redirect,session
from wekzeug.security import generate_password_hash, check_password_hash

app = flask(name)
app.secret_key = 'yoursecretkey'

users = {} #simulated db for now
@app.route('/',methods=['GET','POST'])
def login():
if requested.method == 'POST':
username = request.form['username']
password = request.form['password']
user = users.get(username)
if user and check_password_hassh(user['password'],password):
session['user'] = username
return f"welcome back, {username}!"
return "login failed."
return render_template('login.html')

@app.route('/register',methods =['GET','POST'])
def register():
if request.emthod =='POST':
username = request.form['username']
password = request.form['password']
users[username] = {
'password': generate_password_hash(password)
}
return redirect('/')
return render_template('register.html')
if_name_ == 'main':
app.run()debug=true)
Simple login.html and register.html

Login

Register

How I Secured It
✅ Password Hashing

python
Copy code
generate_password_hash(password) : for storing
check_password_hash(hash, password) # for verifying
✅ Session Management

session['user'] keeps the user logged in

app.secret_key keeps sessions signed

✅ Input Sanitization

Basic HTML forms with required

Use Flask’s built-in request sanitization

✅ No Hardcoded Passwords

All stored passwords are hashed using Werkzeug's SHA256

✅ Minimal Error Exposure

Don't show stack traces or errors on login fail

🚫 What I Avoided (On Purpose)
❌ No SQL injection-prone raw queries

❌ No storing passwords in plain text

❌ No sensitive debug info on the frontend

❌ No use of eval() or insecure libs

🔄 What’s Next (TODOs)
Integrate SQLite for persistent DB

Add JWT or session expiry

Use CSRF protection via Flask-WTF

Implement Account Lockout after N failed attempts

Log failed login attempts for analysis

🧠 What I Learned
Building the system taught me:

How vulnerabilities enter at the login layer

The importance of hashing

That security ≠ a one-time feature, but a continuous mindset

💬 Final Thoughts
If you're learning Flask, don’t just build a login system. Break it, fix it, and secure it. That’s how you grow from a dev into a security-minded engineer.

Let me know what you'd add to secure this better — I'm still learning!