Page 1 of 2

How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 6:51 am
by ben.artiss
Hi,

All of the login systems I design use PHP to compare user input to the database (bare with me), so it takes a user's action to trigger a reaction. However, if you need to know when a user leaves the website (i.e. if they close the browser as opposed to clicking 'logout' first), is the only way to do this by using javascript's window.unload (or beforeunload) event? I'm familiar with AJAX so I assume it's possible to just send a quick request to logout before the window closes.. but not everyone has javascript/ajax support.

I've seen it in lots of websites - "There are n users online". How do these websites know if the user has left without clicking the logout button? Would it be a web-service that pings the user's IP every so often? Any suggestions would be really appreciated!

Thanks, Ben

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 7:08 am
by Inkyskin
There will be a check that goes on - users who haven't been active (ie clicked a link within the site) for the last 5, 10, 15 or however many minutes will be removed from the list of those online.

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 7:34 am
by php_east
ben.artiss wrote:.. but not everyone has javascript/ajax support.
i guess at some point we would need to assume those without javascript represents <0.1% of users.
ben.artiss wrote:Would it be a web-service that pings the user's IP every so often?
this would be a neat idea, only that access from server to client is almost always blocked by a firewall, and a hardware wall ( routers ). and routers are always on so they will never not reply to ping. nice idea, there must be some other way to do it. skype does it by taking over user port 80 :) ( and wreck havoc on the LAMP/WAMP community, 'lol )

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 12:17 pm
by John Cartwright
I usually will send an ajax request every minute to keep their session alive. If I havn't from from them in a few minutes then they are logged out. If ajax is disable, it will degrade gracefully into either a dynamic script tag or an iframe.

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 12:52 pm
by php_east
John Cartwright wrote:If ajax is disable, it will degrade gracefully into either a dynamic script tag........
a what ? hows does it look like ?

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 1:04 pm
by John Cartwright
When I said dynamic script tag I mixed up this discussion from something from work. I actually didn't mean to use the script tag as an example of degrading without javascript. I was thinking about degrading gracefully without ajax support, such as cross-domain requests. I believe jQuery does this with jsonp.

As for this discussion, I actually just meant to say iframe (with meta redirect back to itself).

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 1:18 pm
by php_east
thanks for the explanation, it cleared my confusion. another thing i noticed is the keep alive in headers. i wonder is this can be of any use in this case.

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 5:47 pm
by ben.artiss
Thanks for the responses. Just as I suspected tho! Still a reassurance that there's like <0.1% without AJAX.

Just to clarify about checking when a user clicks on a link: would this information be stored in the database? I'm getting confused again..! No matter which way I think about it I'm sure there needs to be a web-service in there to do a check how long a user has been inactive for - am I on the right tracks? The ideal way would be to execute the logout onbeforeunload but that still leaves some people in the dark. Am I being a little too picky?

Facebook have got it spot on - i.e. they know when you're online to chat or not, but am I right in thinking they'd be using java/ajax for that?
php_east wrote:and wreck havoc on the LAMP/WAMP community, 'lol )
Little bit of havoc never hurt anyone! :)

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 6:07 pm
by ben.artiss
Hmmm I was just having a quick look at php_east's suggestion about keep alive headers. Has anyone come across this class?

"PHP class for easy use of HTTP keep alive connections. Handles transparently close connections, keep alives with content-length, and chunked encoding."

I'm a bit baffled by what I'm looking at right now, but it seems to have some potential.. but again it seems to be pointing toward a web service/crawler. I've made a web service before for a .NET program to get some info from an online database, but that requires a user action to get a response - so I think I'm possibly looking at scripts to run every so often using cron? Ajax is looking all the more tempting lol

Re: How to tell when a user is no longer logged on?

Posted: Wed Mar 25, 2009 6:16 pm
by ben.artiss
Oops, that class is obsolete :D didn't read the feedback either.. in fact a closer look says it's not worth the time! But something you said (php_east) about skype using port 80 - MAMP also uses port 80, so am I more vulnerable when I have them both running? Forgive my ignorance (and for going off topic!) but it just crossed my mind.

Ben

Re: How to tell when a user is no longer logged on?

Posted: Thu Mar 26, 2009 1:06 am
by php_east
ben.artiss wrote:Oops, that class is obsolete :D didn't read the feedback either.. in fact a closer look says it's not worth the time!
so you mean we dont need ot btoehr about keep alive in the headers ? ? heh, if so thanks, that's good news it will save time not having to look at it.
ben.artiss wrote:But something you said (php_east) about skype using port 80 - MAMP also uses port 80, so am I more vulnerable when I have them both running? Forgive my ignorance (and for going off topic!) but it just crossed my mind.
Ben
it's not actually off topic to me, it's one way to tell if a user is logged on. if you have access to the users port:80 you can poll. skype uses port 80, for you to receive calls/messsages. they can tell if youre "off hook" or "online". so they can of course invoke some useful action at your end and receive results of the action. so they can tell, if you're currently picking your nose if they wish.

i don't think vulnerablity is much of an issue for just one port, and in fact me thinks all this vulnerabilty crap is slowing down the entire industry. but i do not want to go off topic. as if we all have pots of gold in our pc to hide from being stolen.

certainly skype didn't bother about vulnerability. it fights with your apache trying to grab port 80 and skype always wins.

as for other ways, i have not found any, but if any interesting method is to be found, access to the user end is a must i think. vulnerability wise, i am quite uncertain if it is that bad, i think the issue is overblown. kinda like SEO thing. what skype has done proves a point.

we have sitting with us a connetced pc, but shuts away all our ports leaves a lot of possibilities out. it's one thing to be afraid, its another to left out of some really good opportunities.

currently the best way i think is the way ~John Cartwright is doing it
John Cartwright wrote:I usually will send an ajax request every minute to keep their session alive. If I havn't from from them in a few minutes then they are logged out.
i used the same technique for a whoisonline application and it perform exceedingly well with 7 seconds polling.

Re: How to tell when a user is no longer logged on?

Posted: Thu Mar 26, 2009 6:40 am
by ben.artiss
Great stuff thanks for your help man, AJAX it is :D but if I ever do come across a way to 'talk' more closely with the client-side I'll post back.

Re: How to tell when a user is no longer logged on?

Posted: Sun Mar 29, 2009 8:57 am
by kaisellgren
John Cartwright wrote:I usually will send an ajax request every minute to keep their session alive.
Why?

Re: How to tell when a user is no longer logged on?

Posted: Sun Mar 29, 2009 10:09 am
by crazycoders
What i do is keep a lastactive date in a sessions table and on each request of anyone purge the table entries that havent been active for some specific number of minutes.

If you aim is to build stats, you can then use a SQL algorithm to look at the time each request happens (You'd have to log them though :)), deduce an average time between requests and apply this to the last request->norequest to have the total time the user was on the website.

With a table of requests, you can even build complex stats such as where do your users leave your site, enter into it, how much time they stay on it and so on. Several high level webstat engines offer this but sometimes you need more...

Re: How to tell when a user is no longer logged on?

Posted: Sun Mar 29, 2009 8:06 pm
by John Cartwright
kaisellgren wrote:
John Cartwright wrote:I usually will send an ajax request every minute to keep their session alive.
Why?
To keep their session alive :?. I don't normally do this, only when it is a requirement for the application. This is especially important when designing applications where content is being pushed from the server to the client, and polling is not an option.