Every part of the application and type of request should verify that the user has a valid current session (if required) and thus their privileges, before undertaking any other data validation and processing.

NB: This relates to application-wide session management control. See SM K for what session management routines to use.