When used in this capacity, a filesystem basically is a database, and it actually is one that’s pretty darned well suited to the purpose at hand. If you subdivide the data into sub-directories according to some rule, you can store millions of records easily. Issues relating to file-sharing, e.g. as might be the case with SQLite, simply disappear.
Banning a user is a slightly different issue, o’course. Usually that is handled during the login process. If what you are actually concerned with is “session flooding,” in which a malicious site floods yours with bogus session-id tokens in order to fill up your session store, the simplest way to deal with that is by “salting” all valid session-ids with a portion that is computed by an (unknown to the attacker) SHA1 hash-substring. This makes it more difficult to generate “millions of valid session tokens.”