User Access and Privilege Management in Modern Web applications !

Rupender Bauhtey
4 min readMar 11, 2021

Back in 1980’s the websites didn’t have so much functionalities in them . They used to deliver the same content to every single user that visited them .

Slowly as the internet evolved , websites started to tailor the content according to the user who wants to fetch it . This was the era when login mechanism were introduced in web applications .

As the internet grew more and more people started visiting websites and the websites has to take care that it does not show the content to user which was supposed to be kept private or supposed be shown only to the administrator or to any different user .

Now here comes the role of User Access and privilege management . The website has to manage every user’s accesses and the privileges , so that the content that the user sees or the action that the user takes is completely according to the user , Not any less than that or Not any slightest more than that. So lets see how web application handling all these accesses and privileges. Now lets see how its done .


To understand the User Access first we should know what are different types of users . There are basically 3 types of users

  • Unauthenticated/Anonymous users

Unauthenticated/Anonymous users are the users who have not been authenticated by the web application. They can surf the basic outer layer of the web application Interface. They have the least privilege.

  • Authenticated Users

Authenticated Users are the users which have been identified and authenticated by the web application and they can log in and have the access to more functionality and data in the website and they have more accesses and privileges than an Unauthenticated/Anonymous User .

  • Administrators

Administrator is the person who has fully access and privileges in a web application . He can do any changes in the web application .He has access to all the data and functionality of the web application


Authentication is a process/mechanism in which the user proves his identity . Through this process the web application makes sure that the user is actually the person who he is claiming to be

This can be done through different ways and most prevalent ways are

  • Username and password based authentication
  • Username and OTP based authentication
  • Biometric based Authentication

Session And Session ID

After Authentication , the backend server creates a session at the backend and provides the user with a session ID which directly corresponds to the session which is created for the user at the backend . Now lets see what a session is

Session is the temporary data stored at the server which contains the information about the user like

  • Unique Id of the user
  • Role of the user
  • Time when is the session is started
  • The time when the session will end if the user does not performs any action
  • If payment is involved then the information about the payment

Session Id is the String provided to the user which directly maps to the session which is created for the user at the backend . Once the session is created and session id is issued to the user , the browser will send that session id in every request it makes to the server. The session Id is mostly sent in the cookies

Now that you know what all these terms are Its the time see how its done in altogether


Initially the user undergoes the authentication process and proves that he is the person who is he claiming to be . Then a session is created for that user at the backend and a session Id corresponding to that session is issued to the user

Then after that every request that the user makes will contain that session id . Now when the backend server receives the request from the user it retrieves the session id from that request and checks to which session that session id is pointing to or mapping to .

Then the server check the access level or privilege of the user in the information stored in that session . If the server finds out that user has a role which has access to the resource which the user has requested then the server responds back to the user with the resource that he requested in the request

If the server finds out the user has a role which does not have access to that resource then the server responds back with a error code .

Now what happens when users of same access levels access their information . Definitely different users have different data and that data is supposed to be shown to the owner only

And if the users clicks on a delete account button how it is decided that which account is supposed to be deleted

Now in these cases when the user makes a request and the server retrieves the session id from it and then retrieves the unique id of the user from the information stored in the session and then from that id and then requesting database with that id the server comes to know that from which specific user this request is coming . This allows the application to perform specific user actions and show the data which is specific to the user

Thank You so much for taking out time and reading

If you have any question , please feel free to ask it on my social media handles .

Facebook —

Instagram —

LinkedIn —

Twitter —



Rupender Bauhtey

Hacker | Web Application Penetration tester | Python Developer | Java Developer