Force reauthentication after user permissions have been changed

Question

In my application I can change user permissions and roles in backend.

When a user is logged in and I remove a role of the user, the user can still access content which h

Answer 1

You can get around this issue by following an approach similar to what I did:

1. When user logs in, store all permissions in session along with a checksum of those permissions.
2. Store the same checksum in a database, or on disk, against that user ID
3. Whenever the user makes a request, verify that the checksum on disk matches the one in session for that user. If it is different, reload the permissions into the user's session
4. When you change the permissions, update the checksum in the database (or on disk) that is stored against that user. This will trigger a resync on their next request.

Answer 2

Make your user class implement Symfony\Component\Security\Core\User\EquatableInterface.

If you return false from the isEqualTo() method, the user will be reauthenticated. Use that method to compare only those properties that when changed should force reauthentication — roles in your case.