使 Symfony2 中特定用户的会话无效 [英] Invalidate session for a specific user in Symfony2

问题描述

我编写了一个系统，其中一个后台 PHP 进程(使用 RabbitMQBundle 编写)处理来自一个消息队列.工作进程更新用户帐户.这可能包括用户角色的变化.

I have written a system in which a background PHP process (written using the RabbitMQBundle) processes messages from a message queue. The worker process updates user accounts. This may include a change in the user roles.

问题是用户在登录时不会注意到他的角色有任何变化.新角色只有在注销并再次登录后才能应用.从安全角度来看，这是不可取的.一旦管理员在后端系统中剥夺了该用户的权限，该用户应立即失去任何角色.

The problem is that a user won't notice any changes in his roles while being logged in. The new roles only get applied after logging out and in again. From a security perspective this is not desirable. A user should loose any role as soon as an administrator takes away privileges from that user in the backend system.

问题是:如何使用新角色更新特定用户的会话?或者如果不可能，如何使会话失效?

The question is: How can a session for a specific user be updated with the new roles? Or when that is not possible, how can the session be invalidated?

请注意，在后台进程中，我们没有可以使用的活动 security.context 或 request.因此，这样的代码不起作用:

Note that in the background process we don't have an active security.context or request that we can use. Code like this therefore doesn't work:

$this->get('security.context')->setToken(null);
$this->get('request')->getSession()->invalidate();

推荐答案

您可以通过多种方式解决此问题:

You can solve this in several ways:

1) 通过 security.always_authenticate_before_granting

您可以强制 Symfony 在每个请求上刷新用户，有效地重新加载所有角色.

You can force Symfony to refresh user on each request, effectively reloading all roles with it.

看到这个问题/答案:无需更改远程用户的角色重新登录

2) 通过EquatableInterface:

您需要实现 isEqualsTo(User)，这反过来应该将所有内容与 User 类进行比较，包括角色.

You need to implement isEqualsTo(User) which in turn should compare everything with User class, including roles.

请参阅此链接:创建用户班级

3) 最后，您可以使用DBMS 来存储会话.然后，只需找到记录并将其删除即可.

3) Finally, you can use DBMS to store sessions. Then, it's just matter of find the record and delete it.

这篇关于使 Symfony2 中特定用户的会话无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！