I try to integrate permissions for user and I want to find the best way for that. I think to save all permissions of the user in the session on login, but when permission will be changed by the admin, I don't know how to monitor that.
So that's why I'm not sure if this is the right way.
-
I'm no PHP expert so wouldn't want to answer but the things to check are: 1) Session is stored server side yes? Not in some kind of .NETlike viewstate field or cookie 2) Do you have to consider load balanced servers?Liath– Liath2018年05月01日 12:55:41 +00:00Commented May 1, 2018 at 12:55
-
I wouldn't worry about an admin changing permissions of a user "on the fly". The user may log out and back in to pick up any changes an admin might make. If the permissions are being reduced provide a way for the admin to forcefully log out the user so they will have to log back in therefore getting their new permissions.Dave– Dave2018年05月01日 17:41:49 +00:00Commented May 1, 2018 at 17:41
-
Well, session is stored on both sides, cuz they must to comunicate somehow, usually is stored in cookie of browsers like PHP_SESSIONAlexandru Gojinetchi– Alexandru Gojinetchi2018年05月07日 13:01:35 +00:00Commented May 7, 2018 at 13:01
2 Answers 2
It is OK as long you're treating this only as a cache and you implement some decent revalidation mechanism.
You may save some token for each user (for example in database), which should change when admin change permissions of particular user. Then on every pageview you need to compare token from session with token in database. If they differ, you should refresh permissions saved in session with source. In this way you should always have up-to-date permission in session.
-
Thank you for answer, it helped me alot to make the choice. I forgot to notice, my project is on Codeigniter 2.2.6, and i changed now session to use DB, it looks easy,after investigation in CI core i found, i can rewrite default session class to my requirements, and it solved all my problems.Alexandru Gojinetchi– Alexandru Gojinetchi2018年05月07日 13:06:37 +00:00Commented May 7, 2018 at 13:06
A better solution would be to have the user_id in the session, or a session_id that can be used to lookup the user's permissions (from a database). Storing permissions in the $_SESSION variable itself would make it difficult to manage the permissions from the admin perspective without explicitly unsetting/resetting the $_SESSION['permissions'] for the required user's session. Sounds messy..
If it is managed in the database, then the admin can simply change the permissions for the specific user there, and the change will be immediate, and when the user is looked up, it will have the those permissions.