Geek Answers Handbook

Forced re-authentication after changing user rights

In my application, I can change permissions and user roles in the backend.

When a user logs in and I delete the user role, the user can still access content that he is not actually allowed to access, because he lacks the role. Changes take effect only when the user re-authenticates himself with an exit / login.

So my question is: can I access a registered user session (not me)? I know that I can access my own session and destroy it, which forces me to log in again. But I want to get a session of any user who has registered. Is it possible? I could not find any resources.

I am using PdoSessionStorage with symfony2.1 and fosuserbundle.

+6
source share
2 answers

Make your custom class Symfony\Component\Security\Core\User\EquatableInterface .

If you return false from the isEqualTo() method, the user will be isEqualTo() . Use this method to compare only those properties that, when changed, should force authentication again - roles in your case.

+9
source

You can get around this problem by following an approach similar to what I did:

  • When a user logs in, save all permissions in the session along with a checksum of those permissions.
  • Store the same checksum in the database or on disk, against this user ID
  • Whenever a user makes a request, make sure that the checksum on the disk matches the checksum on the disk for that user. If it is different, reload the permissions into the user session.
  • When changing permissions, update the checksum in the database (or on disk), which is stored by this user. This will cause a resync on the next request.
-1
source

More articles:


All Articles