473,699 Members | 2,607 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Monitoring logged-in users with sessions: autologoff

Hi all,
I'm currently relying on logged-in users hitting "logout"
(logoff) before they leave, in order to terminate the session.

With PHP the session filename is in a cookie that lasts for the
current session. The problem is that the server does not know
when the current session expires. (I have quite long timeouts.)

Did anybody attempt a script to automatically call "logout"
when the session expires? It seems quite complicate, as there
are multiple urls that share the same session and the user is
not actually logging out until one of them is open in some
client window.

Any better ideas?

TIA
Ale

Jul 23 '05 #1
4 1239
>I'm currently relying on logged-in users hitting "logout"
(logoff) before they leave, in order to terminate the session.

With PHP the session filename is in a cookie that lasts for the
current session. The problem is that the server does not know
when the current session expires. (I have quite long timeouts.)
Then keep track of the timeout yourself.
When the user logs in successfully, set $_SESSION['last_hit']
to the current time. When the user hits a page, check his
login INCLUDING that $_SESSION['last_hit'] being not too old.
If it is too old, redirect to the login page.

If the session is valid, and you want to count the timeout from
the last hit, not the time of login, set $_SESSION['last_hit']
to the current time.

Did anybody attempt a script to automatically call "logout"
when the session expires?


You can't send a page to the browser spontaneously.
You can invalidate the login. With the above procedure,
you don't have to actually DO anything to expire the session
at the time it expires, just check if it has expired at
each page hit.

Gordon L. Burditt
Jul 23 '05 #2
Yup, I'm keeping track of login and last_hit times. However, the server
is not able to distinguish between a user who is taking a long time to
post an update from a user who killed the browser window without
hitting logoff. (The purpose is to just warn them when more than one
is updating the same data.)
You can't send a page to the browser spontaneously.


I could use the onBlur feature to automatically load logoff.
Perhaps I could use a frame, where an invisible page stays there
just to confirm that the user's session is still valid. Many sites,
e.g. PostNuke, display to a user what other users are currently
logged on, so I don't want to reinvent the weel...

Jul 23 '05 #3
>Yup, I'm keeping track of login and last_hit times. However, the server
is not able to distinguish between a user who is taking a long time to
post an update from a user who killed the browser window without
hitting logoff. (The purpose is to just warn them when more than one
is updating the same data.)
If you are really trying to track simultaneous updates to the same
data, you need a lot more than login information. And isn't the
time to do this when the user submits the conflicting change?

What's your purpose in trying to tell when a user has "logged off"
(whatever that means)? Invalidating a session after a certain amount
of time addresses the "unattended keyboard" security issue (and
doesn't require dealing with the browser at all). If this isn't the
point, what is?
You can't send a page to the browser spontaneously.


I could use the onBlur feature to automatically load logoff.


It's this sort of thing that is a major reason Javascript is Turned Off(tm).
Perhaps I could use a frame, where an invisible page stays there
just to confirm that the user's session is still valid. Many sites,
e.g. PostNuke, display to a user what other users are currently
logged on, so I don't want to reinvent the weel...


If your purpose is to display who's logged on, that info is suspect
at best. You can't tell the difference between someone who is still
entering an update and one who has been arrested (leaving his browser
open) and is serving a life sentence, except by the magnitude of
the idle time. Oh, yes, there's also computers crashing, power
failures, and suddenly getting disconnected from the Internet via
dialup lines (call waiting, line noise, someone picks up extension
and starts dialing, etc.).

I suspect those sites displaying users logged in are using timeouts
and not worrying too much about accuracy.

Gordon L. Burditt
Jul 23 '05 #4
>> (The purpose is to just warn them when more than one
is updating the same data.)
If you are really trying to track simultaneous updates to the same
data, you need a lot more than login information. And isn't the
time to do this when the user submits the conflicting change?
I used to provide for sending data's timestamp as a hidden field
and checking it before executing the update when it comes back.
It is an expensive style of coding, not always strightforward,
and seldom firing: users often work in the same office, know
what everybody else does, and apply human reasoning. Thus I've
decided I'll just warn them if they enter in the same logic area.
One logic area has its own cookie name and corresponding list of
sessions. The server maintains a session-group's list in a file
named after the cookie: on each request, the server deletes from
the list any session-id whose corresponding file doesn'exist any
more.

The other use of sessions is to store confirmation messages,
e.g. "your move operation succeeded: it moved 24 items".
Concurrency warnings, e.g. "user smith logged off at 10:44:35,
no other user is logged on", are appended to confirmations.

The resulting code is quite compact and smoothly portable to
different logic areas. One difficulty is adding the logoff link
to every page, which increases the likelyhood that the user
does not logoff... :-(
You can't tell the difference between someone who is still
entering an update and one who has been arrested (leaving his
browser open) and is serving a life sentence
However, the prisoner can get a mercy or ask to a relative to do
something with the browser for him. After the browser dies, there
is no way to reach the session on the server, except searching
all sessions in a group for the given user-id. That way a user can
delete all non-current sessions he owns, i.e. all sessions having
his user-id except the one issuing the "force logoff" command.
I suspect those sites displaying users logged in are using timeouts
and not worrying too much about accuracy.


Yes, and probably they have short (~300 secs) timeouts. I will wait
until next day, still shorter than life sentences, in most cases :-)

Jul 23 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1145
by: Stephen Hillyer | last post by:
Does anyone know of a way to get SBS monitoring to log to SQL 2000 enterprise rather than the Desktop SQL Engine? I have an SQL Server running the databases for WSS, and have removed this instance from SBS, but I cannot find out if it is possible to move the monitoring database off SBS, or upgrade the desktop SQL engine to SQL 2000 (sp3) on the SBS server. Cheers, Steve
0
942
by: csomberg | last post by:
SQL 2000 SP3 Howdy all. I saw some code out there somewhere that logged deadlock info including SQL code that caused it as well as the user information. Any ideas ? Thanks,
1
5482
by: Daniel Chou | last post by:
Hello, I have two questions about "not logged initially": 1. Before using "alter table tbname activate not logged initially", should the table be created with "not logged initially"? 2. After using "alter table tbname activate not logged initially", how to deactivate it?
0
1802
by: msnews.microsoft.com | last post by:
No clue why I get this error. It doesn't happen on my local machine. It doesn't give a clue as to where it occurs. Any way to track this? I'm not even sure if it's affecting the web site. It seems to run fine regardless of the error. ------------------- System.Web.HttpException: Invalid file name for monitoring: 'c:\websites\edit336\edit.com\~'. File names for monitoring must have absolute paths, and no wildcards. at...
0
1013
by: athos | last post by:
Dear guys, Now we are trying to build an Audit-Log module for our projects. The idea is to 1. develop a module that could be used by different projects to save the log, including account management, master data, and transaction data actions. 2. based on the requirement of each project, use SSRS to define different reports showing corresponding logs
1
1233
by: John | last post by:
Hi My webform works fine on local dev server but when uploaded to a remote host it comes up with the following error. What is the problem and how can I fix it? Thanks Regards
1
1996
by: Jo | last post by:
Hi. I have a few questions regd event monitoring. Would appreciate some assistance with this. 1. Does the event monitor only insert data into the event monitoring tables once the connection has been disconnected? sometimes when i select from the tables the data does not show current connections, only when i use the FLUSH command the data is updated. so, is my understanding correct? thanks. 2. Can we activate and deactivate the event...
4
1534
by: natG | last post by:
Well folks, I didn't heed the warnings (that excessive monitoring, statistics, etc. can cause a performance hit) and I have been playing around with all kinds of monitors, snapshots, especially with the gui. BUT! Performance has dropped 70%! The monitors show that the the most system overhead is caused by these selects themselves. Question 1: Is there a big red switch that turns OFF *all* of this type of activity! Question 2: If so, can I...
5
2001
by: rohit | last post by:
hi, i am designing a desktop search engine using python. i am having a query , is there a package available that contains functions for retrieving the files being edited , created,deleted in the file system. thanks
0
2958
by: aleu | last post by:
Hi, I was wondering whether any of you is monitoring MSSQL server 2005 (whatever information could be obtained) from a remote Linux server with the use of SNMP or WMI-perl scripts (for example via MRTG or Cacti)? Is something like that even do-able with MSSQL 2005? Could you share some information on your monitoring solution? Thanks, Aleu
0
8706
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8633
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9055
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8947
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8902
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7787
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
5891
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4392
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
3
2016
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.