Whenever I hear lightweight and complete, I always wonder if they handle one of the hardest things to do cleanly in web-apps: user authentication and access control of resources. Does Lotus support this out of the box?
Slightly OT, but as a mobile guy who occasionally toys with server-side programming, authentication is always where I get stuck. I'd like to see some examples of how to implement authentication and sessions cleanly without too much framework magic. Any pointers?
It doesn't, nor is supposed to. It is composed of small parts with as little responsibility as possible. The idea of Lotus is to not force you to use any tool or favor any kind of approach to such things, but instead give you enough "frame work" to compose with other tools that are responsible for such tasks like authorization, authentication, persistence, or really any kind of stuff you need to do.
A quick look at the API[1] showed a couple mentions of Sessions in the example structure. Not sure if it is handled out of the box, but I get the impression it is not difficult to implement. But that is just authentication, no idea about access control.