Logout user if role is changed mid-session

Since storing sessions is tricky when it comes to systems running on multiple instances behind a load-balancer, I simply store an UUID in the session cookie and store the connection between the UUID and the user's account in a table in the database. Incoming requests are checked for the cookie and the UUID is looked up in DB and the user is found.

In you case, after editing the user's permissions it would be possible to lookup the user's UUID and remove that in either database or Redis. This would force the user's session to be invalid.