what to do if user forgot to log out?

sp*****@volja.net wrote:

I have a question about handling special cases of session expiration.
In a project I'm working on, the users must log out or else their
profile will be left in an unusable state -- at least until the
administrator fixes it by hand.

IMO, this is the same as a user logging in and doing absolutely nothing
until the session expires.

How does your application handle that?
JW

>I have a question about handling special cases of session expiration.

In a project I'm working on, the users must log out or else their
profile will be left in an unusable state -- at least until the
administrator fixes it by hand.
This kind of design you should avoid at all costs. The administrator
may either go insane or may be convicted for murdering you.

If you must enforce logging in only once, when duplicate logins
happen, kick off the *OLD* login.
What is the proper way of handling this? Is there a way to supply a
function that is called when a session times out? What if the browser
is closed?
It is common to have a session expire after some timeout after the
last hit or after login. It is *NOT* common to have code run at
that time. If your design requires that, well, do it another way.
It is common to check if the login has expired (might be days after
the session has expired) on each hit, and if so, redirect to the
login page again.
I realize the best solution might depend on many things, so I'll be
grateful for any pointers.

Users can have their sessions end for numerous reasons and they
cannot clean up afterwards: the computer crashes. Their dialup
line drops and they get back a different IP on redialing. Power
failures. The browser crashes. So forget about having code run
when any of these happen. You can have code run when they attempt
using the same session *after* it has expired (possibly years later).

Gordon L. Burditt

One reason to want to have something run on logout/session time out is
to keep track of online/offline users (many bulletin boards have to
deal with this problem).

One solution is to have a function call at the beginning of each page
that checks if it has been 5 minutes (or whatever time you want) since
the last action of all users. You keep track of all users yourself
through database entries or something similar and if some of them
appear inactive, you clean them up.

This can has a negative impact on performance as you are running a lot
of code that in most cases will do nothing, but it should work ok in
most circumstances. It also has the side-effect that if your site in
general is not very popular, the clean up may happen hours later, when
the next visitor comes to see a page. This second disadvantage is
addressed below.

Another solution is to have a cron job, that is separate from your
application and runs every n minutes to check for similarly setup
database or other user tracking mechanism and clean up inactive
entries.

Anyone else? I am actually trying to think of a better way to do this
as neither of the above works perfectly (as in optimized from an
algorithmical point of view) and I would appreciate to hear if someone
has figured out a better approach.

Following on from 's message. . .

Hello.

I have a question about handling special cases of session expiration.
In a project I'm working on, the users must log out or else their
profile will be left in an unusable state -- at least until the
administrator fixes it by hand.

What is the proper way of handling this? Is there a way to supply a
function that is called when a session times out? What if the browser
is closed?
Go back to programming school!

"Unstable states" are no more acceptable in software than loose bolts
holding aeroplane wings on.


I realize the best solution might depend on many things, so I'll be
grateful for any pointers.

Thanks,

andrej

--
PETER FOX Not the same since the pancake business flopped
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

cyberhorse said the following on 12/06/2005 08:51:

One reason to want to have something run on logout/session time out is
to keep track of online/offline users (many bulletin boards have to
deal with this problem).

One solution is to have a function call at the beginning of each page
that checks if it has been 5 minutes (or whatever time you want) since
the last action of all users. You keep track of all users yourself
through database entries or something similar and if some of them
appear inactive, you clean them up.

This can has a negative impact on performance as you are running a lot
of code that in most cases will do nothing
It shouldn't have that much of an effect if you push the clean-up into
the database query, i.e. you do something like:

UPDATE users SET online = 0 WHERE (lastOnlineTime + x) < NOW()

Although I haven't tested the speed of this, so I could be wrong! It's
almost certainly faster than doing it in manually in PHP though. (You
could probably optimise this by adding "online = 1 AND" into the WHERE
clause, and indexing the online column... maybe)
It also has the side-effect that if your site in
general is not very popular, the clean up may happen hours later, when
the next visitor comes to see a page. This second disadvantage is
addressed below.

Is this one really a disadvantage though? You're right, the clear-up
won't happen for hours, but there's no-one using the site in the interim
to find this out!!

The update still occurs exactly when it needs to, i.e. just before a
user uses the site/page.
--
Oli

Oli Filth wrote:

cyberhorse said the following on 12/06/2005 08:51:

One reason to want to have something run on logout/session time out is
to keep track of online/offline users (many bulletin boards have to
deal with this problem).

One solution is to have a function call at the beginning of each page
that checks if it has been 5 minutes (or whatever time you want) since
the last action of all users. You keep track of all users yourself
through database entries or something similar and if some of them
appear inactive, you clean them up.

This can has a negative impact on performance as you are running a lot
of code that in most cases will do nothing

It shouldn't have that much of an effect if you push the clean-up into
the database query, i.e. you do something like:

UPDATE users SET online = 0 WHERE (lastOnlineTime + x) < NOW()

Although I haven't tested the speed of this, so I could be wrong! It's
almost certainly faster than doing it in manually in PHP though. (You
could probably optimise this by adding "online = 1 AND" into the WHERE
clause, and indexing the online column... maybe)

The speed problem can be cleared up if you use a column "sessionExpireTime",
and then index on sessionExpireTime, and then query like so:

UPDATE sessions SET online = 0
WHERE sessionExpireTime < NOW()
AND session <> session_id

....while this may seem like nitpicking, it ensures that the server will
always use the index, regardless of which server platform you are using.

It is also important to filter out the session you are working with, because
in a moment you are about to issue this query to refresh the current
session:
UPDATE sessions set sessionExpireTime = NOW() + x
WHERE sessionid = session_id

....and on a busy site the processes doing the first update will keep
deadlocking with the processes doing the second update and your site will
lock up.

--
Kenneth Downs
Secure Data Software, Inc.
(Ken)nneth@(Sec)ure(Dat)a(.com)