All of what you say is true but I feel important details are lost.
Elixir's Phoenix framework has very good plugins -- like Guardian -- that give you 95% of the tools you might need for your own security solution and you can assemble it together in 15-60 minutes (this of course assumes your security model isn't wildly different than what the various plugins support). You have separate Plugs -- think of them as pipes of sort -- who handle cookie session management, another that handles JWT tokens, HTTP basic auth etc.
The only thing you must do is to assemble such pieces in a code module that basically serves as a pipeline with several Plugs (pipes) connected in the order you deem appropriate for the security model of your app. Any of these Plugs can modify or remove headers or tokens, can consult a 3rd party system (say, for single sign-on), can provide throttling, temporarily lock out an account that made too many invalid login attempts, can refuse a session due to non-whitelisted IP, etc. etc.
So no, you're not inventing cookie session management or anything there. You simply have control on which security mechanisms -- and when, and at which conditions -- happen on request.
Elixir's Phoenix framework has very good plugins -- like Guardian -- that give you 95% of the tools you might need for your own security solution and you can assemble it together in 15-60 minutes (this of course assumes your security model isn't wildly different than what the various plugins support). You have separate Plugs -- think of them as pipes of sort -- who handle cookie session management, another that handles JWT tokens, HTTP basic auth etc.
The only thing you must do is to assemble such pieces in a code module that basically serves as a pipeline with several Plugs (pipes) connected in the order you deem appropriate for the security model of your app. Any of these Plugs can modify or remove headers or tokens, can consult a 3rd party system (say, for single sign-on), can provide throttling, temporarily lock out an account that made too many invalid login attempts, can refuse a session due to non-whitelisted IP, etc. etc.
So no, you're not inventing cookie session management or anything there. You simply have control on which security mechanisms -- and when, and at which conditions -- happen on request.