I just noticed that when a user is logged in and I delete them from the database their login does not expire, but they are still logged in and can still browse the website, although they can’t do anything anymore because the AuthItem records for the user are deleted (via my User::afterDelete).
I assume that in order to log them out automatically I’d have to check somewhere if their credentials (or at least the active userID) is still in the database, and if not log out (with a message saying why they’re logged out).
The principle is simple enough, but I was wondering what the best place would be to put this code.
Should I put it in CWebApplication::onBeginRequest, CDbAuthManager::checkAccess, somewhere else?
You could save the session id of the user in the database when the user logs in. When you delete the user from db, you lookup and remove all sessions which belong to the user. The user is then immediately logged out.
