I have a system that represents users as object. These object are initialized by reading in a database. Once the users (or objects) are created I store them in a session in order to navigate through pages without re-initiate the users from the database.
Suppose that an admin changes (let say) the users' permissions. From the edit until the session expires, a user could have higher (or lower) permissions than those declared by the admin.
How can I handle this kind of situation? Suppose I have a sessions that expires after hours or more. Should I send a request to database every n minutes to update the user objects?