[RFC] Invalidating user logins on demote or deactivate

[steveWinter]

Issue https://github.com/FriendsOfSymfony/FOSUserBundle/issues/1679 identifies the fact that a user must log out and back in again for promote/demote to be applied.

In the case of promote this isn't much of a concern, however in the case of demote (and even more-so for 'Deactivate' which isn't mentioned in the issue) if the user is currently logged in then they need to have this change applied immediately to ensure they are unable to perform actions which they are no-longer authorised to do.

I propose adding a 'how-to' to address this in the documentation which suggests:

1. use PdoSessionHandler to store sessions in a database table (as described in How to Use PdoSessionHandler to Store Sessions in the Database)
2. add a session_id column to the User entity
3. add an onSecurityInteractiveLogin listener which populates that field with the current session id
4. add a FOSUserEvents::USER_DEMOTED listener which finds the session associated with the user and updates their roles
5. add a FOSUserEvents::USER_DEACTIVATED listener which removes the session associated with the user

Does this seem like the 'best' approach to handle this cleanly? Other suggestions on how it could be done? What have people currently implemented to address this?

I'm happy to write the documentation and code samples if there's general agreement that this is the way to handle this situation.