Heimdall Scan logo, AI security scanner for vibe coders
Heimdall ScanOpen Beta
CriticalAccess Control

Weak session token and cookie configuration

If your app rolled its own authentication instead of using Supabase Auth or Clerk, the security of every logged-in session comes down to how the session token is created and stored. A few common mistakes here can let an attacker forge a session or steal one from a legitimate user.

#What goes wrong

AI-generated auth code sometimes signs tokens with a hardcoded or fallback secret, a string literal instead of a real value, or stores the session token somewhere JavaScript can read it, like localStorage, instead of an HttpOnly cookie.

#Why it matters

A weak or hardcoded signing secret means anyone can forge a valid session token for any user, including an admin, without ever knowing a password. A token readable by JavaScript means a single XSS bug anywhere on the site can be used to steal every visitor's session.

#How Heimdall checks for this

Heimdall looks at how session tokens are signed and stored: whether the signing secret comes from an environment variable rather than a hardcoded fallback, and whether the session cookie is set with HttpOnly, Secure, and SameSite flags.

#How to fix it

Generate a long random secret with something like openssl rand -hex 32, store it only in an environment variable, and never fall back to a hardcoded default. Set the session cookie with HttpOnly so client-side scripts can't read it, Secure so it only travels over HTTPS, and SameSite=Lax or Strict to limit cross-site use.

Frequently asked questions

I use Supabase Auth or NextAuth. Does this check apply to me?

Why not just store the token in localStorage for convenience?

What's a reasonable session expiry?

Run this check on your own repo

Heimdall scans your GitHub repo for this and 29 other issues in under a minute.