When used in this capacity, a filesystem basically is a database, and it actually is one that’s pretty darned well suited to the purpose at hand.   If you subdivide the data into sub-directories according to some rule, you can store millions of records easily.   Issues relating to file-sharing, e.g. as might be the case with SQLite, simply disappear.

Banning a user is a slightly different issue, o’course.   Usually that is handled during the login process.   If what you are actually concerned with is “session flooding,” in which a malicious site floods yours with bogus session-id tokens in order to fill up your session store, the simplest way to deal with that is by “salting” all valid session-ids with a portion that is computed by an (unknown to the attacker) SHA1 hash-substring.   This makes it more difficult to generate “millions of valid session tokens.”