Better approach to restricting users access to managed controllers?

[eluser]Aken[/eluser]
I also do something similar, but I do the Permission Denied page instead of 404 or redirect. In my opinion, it's best to give the actual error message, otherwise it can confuse people. And for me, people can guess URLs all they want - I don't care if they receive a permissions denied message at a page that they guessed (then again, I don't build apps that are super secret like that, either).

[quote author="gwerner" date="1342121896"]What about in a scenario like this? User A has complete authority over the entire admin and changes user B's permissions to no longer allow access to area C. If the variables are stored in the session data that user will still have access until they either log out or time out. How do you handle this? Update the login time further back in time to force a time out?[/quote]

Session data is refreshed on every page load. If you change session data at one point, it will be updated the next time that user refreshes their browser (either on the same or a new page). Try it out for yourself.