I’m plotting out a new project with authentication and role-based authorization for parts of the app. One of the asks form the client is the ability to kill the logged-in session of a user if they’re deemed to be violating policy.
It seems the more elegant approach would be to define a role where a user can’t access anything except maybe a page explaining that they’re essentially in a time-out and an admin can just move them there.
Would there be other options? Maybe a way to kill their existing session?
Even if you killed the session, they could log in again, right? If so, seems like you’d want to set something on the user, whether it’s a in_timeout: true or role: banned so that they, like you mentioned, see a specific page, or can’t log in at all.
I think the easiest is if you simply store the sessions in the database, then you can just remove the session from the database and update their user account to a banned status so that they cannot log in.