Force reauthentication after user permissions have been changed

后端 未结 2 2015
醉话见心
醉话见心 2021-02-14 17:14

In my application I can change user permissions and roles in backend.

When a user is logged in and I remove a role of the user, the user can still access content which h

2条回答
  •  小鲜肉
    小鲜肉 (楼主)
    2021-02-14 17:42

    You can get around this issue by following an approach similar to what I did:

    1. When user logs in, store all permissions in session along with a checksum of those permissions.
    2. Store the same checksum in a database, or on disk, against that user ID
    3. Whenever the user makes a request, verify that the checksum on disk matches the one in session for that user. If it is different, reload the permissions into the user's session
    4. When you change the permissions, update the checksum in the database (or on disk) that is stored against that user. This will trigger a resync on their next request.

提交回复
热议问题