If your problem is in authorisation, then it will be in your business logic, of what a user looks like, what the hierarchy is, and so on. It shouldn't live in your framework.
And the standard ways of doing that, generating single use tokens, will work the way they usually do.
As I said... I didn't use cookies. Which means none of what you listed applied in the first place. Logins were entirely ephemeral and died after a single session ended - as pains were taken to ensure anonymity.
And the standard ways of doing that, generating single use tokens, will work the way they usually do.
As I said... I didn't use cookies. Which means none of what you listed applied in the first place. Logins were entirely ephemeral and died after a single session ended - as pains were taken to ensure anonymity.