Design auth, session security, and top-N users

Design a web application where a user signs in and the page displays "Hello, <username>". 1) Define the client–server APIs for sign-up, sign-in, sign-out, and fetching the greeting (request/response shapes, status codes, and error handling). 2) Choose an authentication approach (stateful sessions vs. stateless tokens like JWT) and detail password storage, MFA (optional), TLS, CSRF protection, and XSS mitigations. 3) After sign-in, explain how to prevent others from impersonating a user by reusing/guessing a user ID; cover session identifiers or tokens, entropy, rotation/expiration, storage (cookie flags, SameSite), token binding, refresh flows, and defenses against fixation, replay, and theft. 4) Design an endpoint/service that returns the top N active users over a recent time window; define what "active" means, the signals you will count (e.g., requests, actions), the data model, and an efficient computation approach (e.g., sliding-window counters, stream processing, precomputed aggregations). Include scalability, consistency, rate limiting, and back-of-the-envelope capacity planning.