Hi there,
Just out of curiosity, how do you handle this problem:
A user logs in, the user gets deleted by an admin, the user stays logged in for the rest of the session.
Hi there,
Just out of curiosity, how do you handle this problem:
A user logs in, the user gets deleted by an admin, the user stays logged in for the rest of the session.
You can handle this case for example in the beforeAction Method of your base Controller (if you have one). You can do a simple count on the user table to check if the user exist or select "status" column value of user table if available.
Another idea would be to save a timestamp in session after login. Then In beforeAction you only do the "user exist check" if last check is longer than e.g. 5 minutes ago. When user get checked you update also timestamp in session with current timestamp. With this you avoid unnecessary queries for each request.
you either use database session store to handle force logouts or alternatively check on each request if the user is still in the database
I don’t, because don’t need. But I just crossed an example, that you may find interesting.
Look for Wordpress Codex Wiki for wp-config.php file, section about secret keys. It is said there: "You can change these at any point in time to invalidate all existing cookies".
I think, it could be a good start point to see, how it is solved in Wordpress. It could (at least theoretically) be used to solve your problem. You could store secret keys per user in a file and only force to generate new one, once a user has been deleted.
If only Wordpress solution could be adapted to Yii.
it will log out all your users just keep that in mind
I believe this how it is done in Worpress. That’s why I wrote that this is (or even: could be) a good start point to seek for a solution, that will logout only deleted user.
Okay!
Thank you for your input everyone. I think I like the “store sessions in db”-solution the best, but I wonder about performance and I’ll have to test that.