Authorisation: Conditions of entry for web applications

We recently deployed a complete reimplementation of the user management and authentication part of our customer web platform. This now includes user authorisation - I think this time we mostly got it right, touch wood.

Authorisation in software applications is tricky to get right. There are always a hundred opinions on how it should be done, in introduces a heap of corner cases that you didn't anticipate and you often end up with something that is much more complex than what you really need.

I have had the chance to implement authorisation for different web applications. Over time I have build up a list of considerations to review before blindly running down the implementation path.