Thank you for your thorough answer @databrecht. Regarding the cookies, what I meant by returning it to the user is setting it in a set-cookie header in the response. So I assume that’s the most safe way, except for having a random session ID in between as you mentioned?
Regarding the privileges, would it be possible to do this for a role, i.e., if I know that the user is an admin, can I get all the privileges set for that role in some way?
Another question they came to my mind, is there some dedicated method to easily check if a user’s secret is still valid. I saw some methods to check the credentials but I would just like to find out if the secret is good or not.