I try to integrate permissions for user and I want to find the best way for that. I think to save all permissions of the user in the session on login, but when permission will be changed by the admin, I don't know how to monitor that.
So that's why I'm not sure if this is the right way.
Best Answer
It is OK as long you're treating this only as a cache and you implement some decent revalidation mechanism.
You may save some token for each user (for example in database), which should change when admin change permissions of particular user. Then on every pageview you need to compare token from session with token in database. If they differ, you should refresh permissions saved in session with source. In this way you should always have up-to-date permission in session.