how often should i check user permissions?

sneakyimp

general design question here:

i'm creating a flash client for a site. the site will only permit authorized users to view it. what i'm wondering is how often should i check the user's username/password against the database? the people i'm making the website for want to be able to exclude anybody at any given time...this would suggest that i check permissions with every page access just in case the admin has decided to boot someone by revoking their access permission.

ordinarily, i consider a user logged in if my $SESSION['username'] variable is set (or perhaps $SESSION['permission'] is true). how long does it take for a session to expire?

drew010

usually a session will expire when a user closes their browser but a maximum lifetime can also be specified in seconds when php will destroy the session data is has stored in the session path.
if you want to ensure a user always has permissions, make a function of some sort that checks the session username and password with that in the database and authorize them at every page load.

drawmack

what I do is set an access level session variable then on every page I check that user's access level against the database and if they differ I consider them logged out. That way if a user is banned it takes effect immediatly.