I am trying to figure out what is the best way to implement user banning. The requirements are as follows:
Upon ban the user must not be able to log in to site again.
If the user currently logged in he/she must be forcefully logged out
"Remember me" feature is implemented in my application, so banned user also should not be able to autologin using cookies
So I’d like to know what is the best practice to implement this feature.
Also what is the right way to organize keeping of ban info in the db (assuming the requests will be made on each page request) - i.e. in some indexed “status” field of “users” table along with other user data or in a separate table (I’m using MySQL 5.5).
I have read the following posts but didn’t get a clear idea unfortunately:
Configure your own WebUser class as user component, which extends from CWebUser.
Override getIsGuest() in your class and test wether the user is logged in (parent::getIsUser()) and then verify wether banned is set for this user. In this case, always return false.
Of course you can refine this concept. E.g. log the user out or log something.
There is a very long discussion of some "creative" forms to ban a user. While my primary interest is in "most effective" in terms of server resources but traditional ban, not hidden in any form. Otherwise it is an interesting reading, thanks for the link.
