session-based-access-control-pattern
Installation
SKILL.md
Session-Based Access Control Security Pattern
Combines session-based authentication (opaque tokens) with authorization. Subject is first authenticated via session ID, then authorized based on their principal's privileges before action execution.
Core Components
| Role | Type | Responsibility |
|---|---|---|
| Subject | Entity | Requests actions with session ID |
| Authentication Enforcer | Enforcement Point | Verifies session ID |
| Verifier | Decision Point | Validates session, retrieves principal |
| Session Manager | Entity | Maintains open sessions |
| Session ID Generator | Cryptographic Primitive | Generates secure session IDs |
| Authorisation Enforcer | Enforcement Point | Checks action authorization |
| Decider | Decision Point | Makes authorization decisions |
| Policy Provider | Information Point | Manages access policies |