FOSUserBundle/Symfony2: Force logout of a user given a user (not the currently logged in user)

Question

Whenever I edit a user's role, the user needs to logout and log back in to see the changes. There's no problem when promoting a user as they just won't see the extra permissions until signing in again. However, when a demotion was to occur, a user will still keep its existing role which impose security risks. Imagine revoking admin user on a rogue employee, and still have them be able to do anything (eg. sabotaging the system) until they log out!

Is it possible to invalidate all sessions or tokens that are related to a specific user? If there is another way to dynamically update the roles of a user without logging them out, I would love to hear it!

Just to make it clear, I'm not trying to invalidate the currently logged in user's session/token.

Thanks in advance!

Answer 1

Symfony stores serialized token object under _security_match_firewall_name key in session. You can unserialize it, filter role and then save it again. For reading/saving session values you can use PdoSessionStorage. You may have to create an extra table for tracking users session.