I’ve created user’s role system, I can give user role of administrator, editor etc.
It’s based on sessions, when user sign in it stores user role to session and then I can perform check like this e.g
if ($_SESSION['role'] == 'administrator') {
echo 'You are administrator!';
}
My question is how I can invalidate user if I change his administrator role to e.g. basic user role while he is online (session still active)?
Is it expensive to check every time if role set into session matches role stored in database?
Perhaps you could check that the user still has the appropriate permissions immediately before making any updates to the database. So they might still be able to see something they shouldn’t, but as soon as they attempt to store anything, the game is up and they’re logged out.
I’d imagine you would want to that anyway, even without the scenario that their privilege might change while they’re logged in.
Thanks for the answer @droopsnoot.
But what if I change his role while he is logged in, I check for session to see if user is logged as admin or not, in this case should I compare session data with database data to see if users role distinct from one stored in session?
I think the idea was to not query the database until the user attempts to commit an action that requires them to be an admin.
That way you don’t have to trouble the DB for every page while they are acting as a basic user.
But if they try to perform some admin action, you check their status, deny them the action and update the session.