session-based-access-control
Security pattern combining session authentication with authorization. Use when implementing web application security requiring both user authentication via session IDs and authorization checks for resource access. Combines Opaque token-based authentication with Authorisation pattern.
Security pattern combining session authentication with authorization. Use when implementing web application security requiring both user authentication via session IDs and authorization checks for resource access. Combines Opaque token-based authentication with Authorisation pattern.
Session-Based Access Control Security Pattern
Combines session-based authentication (opaque tokens) with authorization. Subject is first authenticated via session ID, then authorized based on their principal's privileges before action execution.
Core Components
| Role | Type | Responsibility |
|---|---|---|
| Subject | Entity | Requests actions with session ID |
| Authentication Enforcer | Enforcement Point | Verifies session ID |
| Verifier | Decision Point | Validates session, retrieves principal |
| Session Manager | Entity | Maintains open sessions |
| Session ID Generator | Cryptographic Primitive | Generates secure session IDs |
| Authorisation Enforcer | Enforcement Point | Checks action authorization |
| Decider | Decision Point | Makes authorization decisions |
| Policy Provider | Information Point | Manages access policies |
Data Elements
- sessionId: Opaque token identifying session
- principal: Authenticated identity
- actionId: Identifier for requested action
- objectId: Identifier for target resource
- privileges: Permissions granted to principal
Combined Flow
Subject → [action + sessionId] → Auth Enforcer
Auth Enforcer → [sessionId] → Verifier
Verifier → [get_principal] → Session Manager
Session Manager → [principal] → Verifier
Verifier → [principal] → Auth Enforcer
Auth Enforcer → [action + principal] → Authz Enforcer
Authz Enforcer → [authorise(principal, actionId, objectId)] → Decider
Decider → [get_privileges(principal)] → Policy Provider
Policy Provider → [privileges] → Decider
Decider → [allowed/denied] → Authz Enforcer
Authz Enforcer → [action] → System (if allowed)
Step-by-Step
- Subject sends request with session ID
- Authentication Enforcer forwards session ID to Verifier
- Verifier queries Session Manager for associated principal
- If valid session, principal returned to Auth Enforcer
- Auth Enforcer forwards request (with principal) to Authz Enforcer
- Authz Enforcer extracts actionId and objectId from request
- Decider queries Policy Provider for principal's privileges
- Decider determines if action on object is permitted
- If authorized, request forwarded to System
Session Management
Session Creation
- Subject authenticates (e.g., password login)
- Session Manager creates new session
- Session ID Generator produces secure random ID
- Session Manager stores sessionId→principal mapping
- Session ID returned to Subject
Session ID Requirements
- Minimum 64 bits of entropy
- Generate 128+ bits using CSPRNG
- Check for duplicates before storing
Session Lifetime
- Idle timeout (configurable)
- Absolute maximum duration
- Invalidate on logout
- Invalidate on credential change
Authorization Model
Privilege Determination
- Policy Provider maintains access rules
- Common models: RBAC, ABAC, ACL
- Consider both action AND object in decisions
Critical: Object-Level Authorization
Always verify:
- Principal can perform this action type
- Principal can access this specific object
IDOR Prevention: Never skip object-level checks; verify principal has access to the specific objectId.
Security Considerations
Authentication Layer
- All session management best practices apply
- See: Opaque token-based authentication pattern
Authorization Layer
- Default deny: reject unless explicitly allowed
- Policy integrity: protect rules from tampering
- Complete mediation: check every request
Separation of Concerns
- Authentication determines WHO
- Authorization determines WHAT they can do
- Both must pass for action to proceed
Resource Protection
- Auth and Authz enforcers on critical path
- Potential DoS target—implement rate limiting
- Consider caching for performance
Session Data Security
- If storing sensitive data in session, encrypt it
- Minimize session data exposure
Implementation Checklist
- [ ] Secure session ID generation (128+ bits, CSPRNG)
- [ ] Session timeout policies (idle + absolute)
- [ ] New session ID on login
- [ ] Session invalidation on logout
- [ ] Authorization check on every request
- [ ] Object-level authorization (IDOR prevention)
- [ ] Default deny policy
- [ ] Policy integrity protection
- [ ] Rate limiting on enforcers
Related Patterns
- Opaque token-based authentication (session component)
- Authorisation (access control component)
- Limit request rate (DoS protection)
References
- Source: https://securitypatterns.distrinet-research.be/patterns/01_01_006__session_based_access_control/
- OWASP Session Management Cheat Sheet
- OWASP Authorization Cheat Sheet
You Might Also Like
Related Skills
coding-agent
Run Codex CLI, Claude Code, OpenCode, or Pi Coding Agent via background process for programmatic control.
openclaw
add-uint-support
Add unsigned integer (uint) type support to PyTorch operators by updating AT_DISPATCH macros. Use when adding support for uint16, uint32, uint64 types to operators, kernels, or when user mentions enabling unsigned types, barebones unsigned types, or uint support.
pytorchat-dispatch-v2
Convert PyTorch AT_DISPATCH macros to AT_DISPATCH_V2 format in ATen C++ code. Use when porting AT_DISPATCH_ALL_TYPES_AND*, AT_DISPATCH_FLOATING_TYPES*, or other dispatch macros to the new v2 API. For ATen kernel files, CUDA kernels, and native operator implementations.
pytorchskill-writer
Guide users through creating Agent Skills for Claude Code. Use when the user wants to create, write, author, or design a new Skill, or needs help with SKILL.md files, frontmatter, or skill structure.
pytorch
implementing-jsc-classes-cpp
Implements JavaScript classes in C++ using JavaScriptCore. Use when creating new JS classes with C++ bindings, prototypes, or constructors.
oven-shimplementing-jsc-classes-zig
Creates JavaScript classes using Bun's Zig bindings generator (.classes.ts). Use when implementing new JS APIs in Zig with JSC integration.
oven-sh