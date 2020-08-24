But mostly the problem is not in the process of authenticating loggin details, is most times after the user has pass the login validation process including google auth and sms.

So far what we have discussed so far is the validation process to login a user.

But thats not where the big problem is,

An attacker waits for him to just steal his session after the user have gone pass the validation process.

This is how is been done.

A hacker installs a rat on your system.

Then waits till you login, he will know that you are logged in if you visit certain dashboard pages.

Then hijacks your session and access your account with your already active session.

So hanging everything to session And session destroy is something i am finding uncomfortable with.

Thats why i need something else to merge with session.

Not necessarily for validation purpose but for the life span of an already validated sessions or account.