How do I approach System Design interview questions?

System Design questions require understanding of core concepts and practice. PracHub provides solutions with explanations to help you master system design interviews.

What difficulty level is this interview question?

This is a hard difficulty System Design question, commonly asked during Onsite rounds at Bloomberg.

What role is this question designed for?

This question is commonly asked for Software Engineer candidates at Bloomberg during technical interviews.

Design auth, session security, and top-N users | Bloomberg Interview Question

Q: Design auth, session security, and top-N users

This question evaluates a candidate's competency in web authentication and session security, secure API design, and scalable analytics for computing top-N active users.

Web App Design: Authentication, Security, and Top-N Active Users

Context: Build a browser-based web application where a user signs in and the page displays "Hello, <username>". Assume JSON over HTTPS, a single-page web client, and a backend service. Design the APIs, authentication, and a service that returns the top N active users over a recent time window.

Tasks

Client–Server APIs

Define REST endpoints for sign-up, sign-in, sign-out, and fetching the greeting.
Include request/response JSON shapes, HTTP status codes, and error handling.

Authentication Approach

Choose between stateful server-side sessions and stateless tokens (e.g., JWT).
Detail password storage, optional MFA, TLS requirements, CSRF protection, and XSS mitigations.

Post Sign-In Impersonation Risks

Explain how to prevent impersonation via reusing/guessing a user ID.
Cover session identifiers or tokens, entropy, rotation/expiration, storage (cookie flags, SameSite), token binding, refresh flows, and defenses against fixation, replay, and theft.

Top N Active Users Service

Design an endpoint/service that returns the top N active users over a recent window.
Define "active" and the signals counted (e.g., requests, actions).
Propose a data model and an efficient computation approach (e.g., sliding-window counters, stream processing, precomputed aggregations).
Include scalability, consistency tradeoffs, rate limiting, and back-of-the-envelope capacity planning.

Tasks

Client–Server APIs

Define REST endpoints for sign-up, sign-in, sign-out, and fetching the greeting.

Include request/response JSON shapes, HTTP status codes, and error handling.

Authentication Approach

Choose between stateful server-side sessions and stateless tokens (e.g., JWT).

Detail password storage, optional MFA, TLS requirements, CSRF protection, and XSS mitigations.

Post Sign-In Impersonation Risks

Explain how to prevent impersonation via reusing/guessing a user ID.

Cover session identifiers or tokens, entropy, rotation/expiration, storage (cookie flags, SameSite), token binding, refresh flows, and defenses against fixation, replay, and theft.

Top N Active Users Service

Design an endpoint/service that returns the top N active users over a recent window.

Define "active" and the signals counted (e.g., requests, actions).

Propose a data model and an efficient computation approach (e.g., sliding-window counters, stream processing, precomputed aggregations).

Include scalability, consistency tradeoffs, rate limiting, and back-of-the-envelope capacity planning.

Design auth, session security, and top-N users

Quick Overview

Web App Design: Authentication, Security, and Top-N Active Users

Tasks

Solution

Submit Your Answer to Earn 20XP

Design auth, session security, and top-N users

Quick Overview

Web App Design: Authentication, Security, and Top-N Active Users

Tasks

Solution

Submit Your Answer to Earn 20XP