When a user logs in to my site I grab all their user info and store it in a session called user_info. This is so that I don't have to make continious database lookups to get common info about the user that is required on almost every page. A user info session looks like this when var dumped:
array(17) {
["user_id"]=>
string(7) "1165771"
["username"]=>
string(2) "Jake"
["who"]=>
string(1) "1"
["seeking"]=>
string(1) "2"
["orientation"]=>
string(1) "1"
["dob"]=>
string(10) "1985-07-08"
["zip"]=>
string(5) "25140"
["email"]=>
string(17) "foo@bar.com"
["account_status"]=>
string(1) "1"
["role"]=>
string(1) "1"
["paused"]=>
string(1) "0"
["latitude"]=>
string(11) "37.89955100"
["longitude"]=>
string(12) "-81.52641100"
["region"]=>
string(2) "WV"
["city"]=>
string(5) "NAOMA"
["avatar"]=>
string(21) "1165771_50c6816a8fad1"
["email_setting"]=>
string(1) "1"
}
Now there is an "account settings" page where the user can update some of their info. So if they change their username for example I do this to update their session so that it now contains the new value:
$_SESSION['user_info']['username'] = 'NEW VALUE';
Now here's the problem. If I decide to ban a user while moderating in the admin panel, then their account status will be updated from 1 (meaning active) to 2 (meaning banned) in the database. However to have this change be reflected in their user_info session I can't do this:
$_SESSION['user_info']['account_status'] = 2;
Because it will only be updating my user info on my computer rather than the user's session on his/her computer. They will be able to continue using the site even though they are technically banned until they log out and try to log back in.
Then they will be prevented entry because for the log in SQL query to return true in addition to getting the credentials correct the user must also have an account status of 1.
How can I update the session of an individual user when I make a change to their account.
How I can delete a user's session completely from my server so they are immediately logged out.
If you need this change to take immediate effect then as far as I know, you will have to check the users status on each page and if the user is banned take appropriate action.
This answer suggests changing the files as an alternative but even the author doesn't recommend that.
How can I update the session of an individual user when I make a change to their account.
Personally I'd just switch to database sessions - poll the database once at the beginning of your code to get all the users data into a variable.
That way, if the admin rights change during a page change, the user instantly has the new access level.
How I can delete a user's session completely from my server so they are immediately logged out.
You can also then 'delete' a session from the database - to force a user to be logged out.
Just add a check for the session on every page load. For example have a db table where you temporarely write active sessions. If the user reloads and there is no such entry in the table he has to login again and rewrite the session. If he logs out or you hav3 to kick him out you just remove or modify the entry. This can also become a classic tool - currently whatever users are on sit3 ecc...
An alternative solution (instead of direct disconnection) would be to add a time-stamp to the session and refresh it every xx minutes (if the session data is older than xx minutes, do a db query).
That way blocked users would not be kicked out immediately, but you could control the time and reduce the number of database queries (every xx minutes instead of every request).
However, I would first check if the queries to the user database really have that big of an impact.