igbuend/session-based-access-control-pattern
skills/session-based-access-control-pattern/SKILL.md
Security pattern combining session authentication with authorization. Use when implementing web application security requiring both user authentication via session IDs and authorization checks for resource access. Combines Opaque token-based authentication with Authorisation pattern.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard session-based-access-control-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:20 PM22.6s1 file scanned
SKILL.md
- name:
- session-based-access-control-pattern
- description:
- Security pattern combining session authentication with authorization. Use when implementing web application security requiring both user authentication via session IDs and authorization checks for resource access. Combines Opaque token-based authentication with Authorisation pattern.
Session-Based Access Control Security Pattern
Combines session-based authentication (opaque tokens) with authorization. Subject is first authenticated via session ID, then authorized based on their principal's privileges before action execution.
Core Components
| Role | Type | Responsibility | |------|------|----------------| | Subject | Entity | Requests actions with session ID | | Authentication Enforcer | Enforcement Point | Verifies session ID | | Verifier | Decision Point | Validates session, retrieves principal | | Session Manager | Entity | Maintains open sessions | | Session ID Generator | Cryptographic Primitive | Generates secure session IDs | | Authorisation Enforcer | Enforcement Point | Checks action authorization | | Decider | Decision Point | Makes authorization decisions | | Policy Provider | Information Point | Manages access policies |
Data Elements
- sessionId: Opaque token identifying session
- principal: Authenticated identity
- actionId: Identifier for requested action
- objectId: Identifier for target resource
- privileges: Permissions granted to principal
Combined Flow
Subject → [action + sessionId] → Auth Enforcer
Auth Enforcer → [sessionId] → Verifier
Verifier → [get_principal] → Session Manager
Session Manager → [principal] → Verifier
Verifier → [principal] → Auth Enforcer
Auth Enforcer → [action + principal] → Authz Enforcer
Authz Enforcer → [authorise(principal, actionId, objectId)] → Decider
Decider → [get_privileges(principal)] → Policy Provider
Policy Provider → [privileges] → Decider
Decider → [allowed/denied] → Authz Enforcer
Authz Enforcer → [action] → System (if allowed)
Step-by-Step
- Subject sends request with session ID
- Authentication Enforcer forwards session ID to Verifier
- Verifier queries Session Manager for associated principal
- If valid session, principal returned to Auth Enforcer
- Auth Enforcer forwards request (with principal) to Authz Enforcer
- Authz Enforcer extracts actionId and objectId from request
- Decider queries Policy Provider for principal's privileges
- Decider determines if action on object is permitted
- If authorized, request forwarded to System
Session Management
Session Creation
- Subject authenticates (e.g., password login)
- Session Manager creates new session
- Session ID Generator produces secure random ID
- Session Manager stores sessionId→principal mapping
- Session ID returned to Subject
Session ID Requirements
- Minimum 64 bits of entropy
- Generate 128+ bits using CSPRNG
- Check for duplicates before storing
Session Lifetime
- Idle timeout (configurable)
- Absolute maximum duration
- Invalidate on logout
- Invalidate on credential change
Authorization Model
Privilege Determination
- Policy Provider maintains access rules
- Common models: RBAC, ABAC, ACL
- Consider both action AND object in decisions
Critical: Object-Level Authorization
Always verify:
- Principal can perform this action type
- Principal can access this specific object
IDOR Prevention: Never skip object-level checks; verify principal has access to the specific objectId.
Security Considerations
Authentication Layer
- All session management best practices apply
- See: Opaque token-based authentication pattern
Authorization Layer
- Default deny: reject unless explicitly allowed
- Policy integrity: protect rules from tampering
- Complete mediation: check every request
Separation of Concerns
- Authentication determines WHO
- Authorization determines WHAT they can do
- Both must pass for action to proceed
Resource Protection
- Auth and Authz enforcers on critical path
- Potential DoS target—implement rate limiting
- Consider caching for performance
Session Data Security
- If storing sensitive data in session, encrypt it
- Minimize session data exposure
Implementation Checklist
- [ ] Secure session ID generation (128+ bits, CSPRNG)
- [ ] Session timeout policies (idle + absolute)
- [ ] New session ID on login
- [ ] Session invalidation on logout
- [ ] Authorization check on every request
- [ ] Object-level authorization (IDOR prevention)
- [ ] Default deny policy
- [ ] Policy integrity protection
- [ ] Rate limiting on enforcers
Related Patterns
- Opaque token-based authentication (session component)
- Authorisation (access control component)
- Limit request rate (DoS protection)
References
- Source: https://securitypatterns.distrinet-research.be/patterns/01_01_006__session_based_access_control/
- OWASP Session Management Cheat Sheet
- OWASP Authorization Cheat Sheet
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026