A providing computer system may receive a request, via a stateless protocol, to access a resource. An access control application may refer to administrative rules to set validation information associated with the request. Validation information may be in the form of electronic text that is stored in a location such as a cookie or state-table. Validation information may indicate the state of a session associated with a resource, such as whether a session is in a logged-in or logged-out state. When a request is received, validation information and authentication information may be utilized together to determine if access to a resource should be granted. When access to a resource is granted or denied, validation information may be updated to indicate that the state of the session has changed.