You might want to establish a browser session once you authenticate. That way when any calls come to your App, you just check if a session exists. If not, go through the login task and establish one, then carry on with the request. The only other time you need to validate with those parameters is when requests are coming from Shopify that are Webhooks or App Proxy calls, since those clearly fall outside the realm of a session.
Once you master that, you can play with the idea of one browser session but two or more shops connecting to your App. That is an added level of tricky.
If you are not following that pattern you are off on a weird experiment of your own, and it is unlikely anyone will help you in your endeavors.
