I could be wrong about this, but it is my understanding that it is a very common practice to handle permissions like so:
-
The user goes to the login page and provides a username and password.
-
The username and password are verified. If valid, the user’s information (including permissions) is set to a session variable.
-
As the logged in user navigates the site, certain features are available to the user based on their permissions, which are referenced in the session.
This makes sense since it would be impractical to frequently query the database for the user’s permissions. However, from a security standpoint, I’m not sure what the best approach is. A simple example would be if you were to remove a certain permission from a user while they’re logged in. An extreme example would be if you were to mark a user account as inactive while they’re logged in. I don’t know how you could get that user’s web browser to know about the change other than to code database permission checks (as opposed to session permission checks) into every part of the website. Again, that seems like overkill, but is that really the only way if you want a secure website?
Thanks!
I believe you’ve got it stated correctly:
Depending upon how your site is designed, it might make sense to invalidate the user’s session when you perform drastic enough modifications to the user’s privileges. Deleting sessions mean the user will be faced with a new request to log in, but if you’ve just disabled their account or severely downgraded their privileges, that might be acceptable.
But you wouldn’t want to invalidate the session for every little thing and certainly not for almost any permission enhancement operations.
If you expire all sessions N seconds after the last authentication you can place an upper limit on the amount of time that your application code would grant permissions that have actually been revoked. This might be suitable when the stakes are not very high anyway.