Refresh another user session - best practice?

Question

Refresh another user session - best practice?

As with many web applications, when my users register on my site, I set several session variables that control the permissions to access the functions of the site.

Whenever the user takes an action that will change these permissions, I update the session variables as part of the normal processing flow.

But sometimes a user session needs to be updated based on the actions of another user. For example, a moderator updates user rights. The moderator does not have access to the user's session space, so normal update functions cannot be started for the affected user.

I looked at several ways to force an update for another user session, but they all have disadvantages:

I could search and delete their sessions from the session table, but this requires a full table scan (where sessdata likes "% user_id%"), and this can lead to loss of content that may be affected by the user involved in the production.
I can force a session update periodically, for example, when sess_time_to_update starts. But there is no guarantee that this will happen until the user attempts to access the functionality for which an update is necessary.
I could run a full series of update variables every time the page loads, but the whole point of maintaining is to avoid this overhead.
, , . ( , CI_Controller MY_Controller, )
, ( ). , , .

- ? , ?

( , CodeIgniter , CI, , . , CI- ( PHP).)

!

+3

php codeigniter

coolgeek 16 . '10 18:11

4

, Code Igniter.

, User , , . , , , , .

, ? , , .. . , , , , db .

class User{
public function __construct($uid){
  //fetch from the db here
  $sql = 'SELECT FROM User_Table WHERE UserID = ?';
  $params = array($uid);
  //fetch and assign using your flavor of database access, I use PDO
  //set all your object properties for access, as well as user_id, something like 
  //$this->user_id = $result['UserID'];
}

public static function Login($uname, $pass){
  $sql = 'SELECT UserID FROM User WHERE Username = ? AND Password = ?';
  $params = array($uname, md5($pass));
  //again I'm going to employ pseudocode here, fetch according to your preferred system
  if(!empty($result)){
    $_SESSION['user'] = new User($result['UserID']);
  }else{
     //login failed!
     return false;   
  }
}

final public function _refresh(){
  //refresher method.  Since the controller sets all the object properties for access
  //reconstructing and assigning it refreshes these priveliges.
  $_SESSION['user'] = new User($this->user_id);
  }

}

, , , , , . , .

function _topSecret(){
$_SESSION['user']->refresh();

if($_SESSION['user']->specific_permission_from_db){
  //Perform the special action, get the view, whatever.
}else{
  //redirect to an error page
}

}

, , , , , , , , . , , , .

, , . , , CI , , . , - , CI, .

+2

DeaconDesperado 16 . '10 18:35

, . .

. , , .

+1

Knubo 16 . '10 18:21

If you save the session as a native php session, I would try to leave it alone and let them get some kind of notification about the need to enter / exit to update the settings. I also have sites where session data is stored in db and then much more trivial to just write a new parameter.

0

Rob Dec 16 '10 at 18:21

source share

ircmaxell · Accepted Answer · 2010-12-16T18:18:19+0000

, " ACL" ( , ). (, session_start()) , . , ACL.

- ( "" "" ..). , , 1. , , , , 1. , 0. , ...

, ... PHP, , . ... ( , PHP .).

, . TON , , . , ...

2 , , , ...

Refresh another user session - best practice?

More articles: