How to unset a session of someone viewing your site.

[turkman]

Basically i have a problem with my site. Ive realised now if i have a mod and i see from the log that he has been doing some suspicious stuff like trying to delete the admin or is deleting threads for no reason and i want to remove his privlidges... i dont know how... i can ban him so he cant access the site, but say i just wanted to remove his privlidges.

 

Now he has a session set - so i delete him as a mod but one of the session variables still show him as a mod when the site checks... how can i unset his variable? i think it would be quite resource intensive to check the database everytime someone loads a page to check if they have a session set but are no long in the database.

[ignace]

Store everyone's session in the database along with their user name, then if someone is acting suspicious just delete his session so that on the next request he needs to log-in again. Or ban him and then log him out.

[PFMaBiSmAd]

i think it would be quite resource intensive to check the database everytime someone loads a page to check

 

Ummm. That's exactly how almost all of the major applications that have a login in system and/or user groups/permissions/levels/access control does it.

 

For example, in most forum software, if anyone were to be banned (added to the banned group) or to be promoted/demoted, it would take effect immediately because on each page request the group membership of the visitor is checked in the database.

 

If you are going to have a user system that has mods/admins... you need a more sophisticated system than just setting a session variable and checking it on each page request.