I am using CGI::Session, and for the most part, all is well. However, I have one requrement that I have not found even mentioned in the documentation.
One of the session parameters that I set is user_id (guaranteed to be unique). The use case I need to address involves an administrator who needs to disable a given user's account. However, there is the possibility of a problem since all users can change their own password. Since the obvious solution to disable an account is to change the password to something random, if the user has a current session, it is entirely possible that he might change his password to something else after the administrator has attempted to disable the account. On writing this, it occurs to me that I could require the user to re-enter his password in order to change it (solving one problem), but that still doesn't prevent the user from keeping a currently active session open indefinitely after the account is supposed to be disabled. If the user is an employee who has just been fired, he could do significant damage if I can't expire his sessions the instant his account is disabled.
Is it possible to iterate through all sessions that have not expired, and force those with a specific user ID to expire, in an operation that is simultaneous to the operation that changes the password in the DB?
NB: In this case, it is not the current user's session that must be forced to expire but rather any connected to a user who is no longer to be permitted to access or edit the data in the system.
NB: It is not acceptable to just delete the account as there may have accumulated a significant amount of data that must remain auditable, and relatable to a specific person.
Any thoughts on how I might do this would be greatly appreciated.
In reply to how do I force a specific session, not my own, to end? by ted.byers