Welcome Guest, Not a member yet? Register   Sign In
Problem with updating session data

If you just delete the session(s) associated with the user ID from the database, it doesn't necessarily log the user out, and it potentially wastes resources on your server if the user is active and attempts to read the session data. You may find that you can't delete the session data because the session library has a lock in place, or, when the user does something which causes the server to attempt to read the data, the server may encounter an error or regenerate the session.

The whole point of a "remember me" feature is to allow the user to stay logged in longer than would be permitted by a session, so the absence of session data should not indicate anything in particular about whether the user can be authenticated.

When the user attempts to login (or is automatically logged in) the system should check whether the user has been banned (or any other status which would prevent a successful login). If the user logs out, the data related to the "remember me" feature should be removed (usually a cookie and some identifier in the database) and the user's session should be destroyed.

If the user is banned while they are active on the site, it isn't really a matter for the Authentication mechanism of your site to deal with. The best you could do as part of the Authentication mechanism would be to check whether the user is banned on each request and force a logout.

Otherwise, you're dealing with Authorization, which is related, but generally should be separate from Authentication. Authentication tells you whether the user is who they claim to be. Authorization tells you whether the user can perform a specific action. Generally, a banned user shouldn't be authorized to do anything, so being Authenticated as a banned user could potentially be worse than being logged out.

When the user attempts to create/read/update/delete some data, the system should check whether they are authorized to do so. Initially, you might not need any more authorization than "the user is authenticated and not banned". In the long term, though, there are any number of authorization systems which can be built, including role and permission systems.

Messages In This Thread
Problem with updating session data - by boddah85 - 06-14-2016, 05:54 AM
RE: Problem with updating session data - by mwhitney - 06-14-2016, 02:05 PM
RE: Problem with updating session data - by PaulD - 06-14-2016, 03:50 PM

Theme © iAndrew 2016 - Forum software by © MyBB