Let's say we have this awesome User system before us, a User is logged in by a session key (user_id) is set. If a User however gets "banned" the user will still be logged in - until the session expire.
Ways to prevent this is:
Always check if user got banned (every request)
save session data in perhaps a database to be able to remove the data easily (on the user being banned).
Is there a better approach performing this task?
I would choose 1. If you don't retrieve user information from your database in each request, users may also have trouble updating their data. For instance, I can log in at home, change my profile description to 'foo' and go work. There I log in as well, which results in a different session. I change the information to 'bar', which is stored in the database and in my work session. Then I go home and continue browsing in the previously opened home session, which will still contain 'foo'.
Therefor, I think you should at least do some checking against the user database on each request, so during that step you can check if the user is banned as well.
To speed this up, you could keep a special table with storage type MEMORY to keep session information in. This table can be accessed really fast, so it may increase performance. You only need to move information there if a user has changed in the 'real' database. You may use memcache in a similar way. Both are solutions to keep database IO to a minimum while still having the same results. I would add these optimizations only when you need them. Start with just querying the user on each request.
Just include in the session the last time it was check to see if it has been banned. Then periodically check it against the banned list of users table.
You have to check it every request by user_id. It's not much computations. You can use in-memory storage such as Redis or Memcached to store user_id=>banned pairs to check it rapidly. Second will not work because session is not stable, i can log in from different computers, even browsers and you will need complicated logic and much more resources to perform such task.
You don't really want to be connecting to your database on every request as this will greatly increase load times on a server with many users - it's just not the best thing to do.
You could however use Memcache to store and retrieve a list of banned users from - thereby speeding up your data request times.
if((isset($_SESSION['isloggedin']) && $memcache->get('banneduserid') === true))
{
session_unset();
session_destroy();
}
Memcache is really easy to use, and fun to learn if you haven't used it before.
You instantiate the memcache object as $memcache for example, and then you simply run methods like $memcache->set() and $memcache->get(). That's it!
