Invalidate session for a specific user in Symfony2

Question

I have written a system in which a background PHP process (written using the RabbitMQBundle) processes messages from a message queue. The worker process updates user accounts. This may include a change in the user roles.

The problem is that a user won't notice any changes in his roles while being logged in. The new roles only get applied after logging out and in again. From a security perspective this is not desirable. A user should loose any role as soon as an administrator takes away privileges from that user in the backend system.

The question is: How can a session for a specific user be updated with the new roles? Or when that is not possible, how can the session be invalidated?

Note that in the background process we don't have an active security.context or request that we can use. Code like this therefore doesn't work:

$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();

Answer 1

You can solve this in several ways:

1) via security.always_authenticate_before_granting

You can force Symfony to refresh user on each request, effectively reloading all roles with it.

See this SO question/answer: Change the role of a distant user without having to relog

2) Via EquatableInterface:

You need to implement isEqualsTo(User) which in turn should compare everything with User class, including roles.

See this link: Create a User Class

3) Finally, you can use DBMS to store sessions. Then, it's just matter of find the record and delete it.