468,107 Members | 1,320 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,107 developers. It's quick & easy.

Forced user logout / Cancel sessions and cleanup

Hi all,

Currently I use a timestamp to log users out after 15 minutes of
inactivity.
However I also need to log a user out if they have just left the page.
I need to do this because I store current online users in a database,
allowing a maximum of 5 users at one time.

I have been looking through the php manual and came across
session_cache_expire(). This isn't doing what I need either. Am I
going in the wrong direction with this?

Basically my question is, is there a way to log a user out (and clear
my user_online database) if they just leave the page?

Thanks in advance for any suggestions.

Feb 19 '06 #1
13 2059
No, you can't because of the stateless nature of http.
Though, you might be able to embed some sort of java applet that sent a
message when it unloaded from a page refresh/change. That might be
more work than its worth, though.

Feb 19 '06 #2
actually, you can cleanup a session:

http://www.php.net/manual/en/functio...on-destroy.php
Richard Levasseur wrote:
No, you can't because of the stateless nature of http.
Though, you might be able to embed some sort of java applet that sent a
message when it unloaded from a page refresh/change. That might be
more work than its worth, though.

Feb 19 '06 #3
Mickey wrote:
Hi all,

Currently I use a timestamp to log users out after 15 minutes of
inactivity.
However I also need to log a user out if they have just left the page.
I need to do this because I store current online users in a database,
allowing a maximum of 5 users at one time.

I have been looking through the php manual and came across
session_cache_expire(). This isn't doing what I need either. Am I
going in the wrong direction with this?

Basically my question is, is there a way to log a user out (and clear
my user_online database) if they just leave the page?

Thanks in advance for any suggestions.

The short answer is 'no'.

If a user goes to another page via the browser, then there is no
conversation with your server. So there is no way for your server to
know that the user has left.

Think of it as if your server is receiving mail. You know when you get a
letter, you can tell the time since you last got a letter and you can
reply to a letter, but there is no way to know that the user has also
written a letter to someone else.

Now, if you keep the 'last heard from' timestamp in a database, you may
release a session based upon a last response time (i.e. fifteen minutes)
without having to hear from the browser at all. (i.e. no cookie exchange
is required) Its not the same as detecting that they have gone elsewhere
but is probably the best you can do.

-david-

Feb 19 '06 #4
Using JavaScript, you could use the onunload event of the body to
contact the server to log out. However, that would also log a user out
if he requests another page of the server.
Or, you could keep refreshing a subframe as a "live" signal.
Mickey wrote:
Hi all,

Currently I use a timestamp to log users out after 15 minutes of
inactivity.
However I also need to log a user out if they have just left the page.
I need to do this because I store current online users in a database,
allowing a maximum of 5 users at one time.

I have been looking through the php manual and came across
session_cache_expire(). This isn't doing what I need either. Am I
going in the wrong direction with this?

Basically my question is, is there a way to log a user out (and clear
my user_online database) if they just leave the page?

Thanks in advance for any suggestions.

Feb 19 '06 #5
Thanks to all for the replies.
Now, if you keep the 'last heard from' timestamp in a database, you may
release a session based upon a last response time (i.e. fifteen minutes)
without having to hear from the browser at all. (i.e. no cookie exchange
is required) Its not the same as detecting that they have gone elsewhere
but is probably the best you can do.
This is interesting.
Currently I am storing the 'last heard from' timestamp in a database
and if the user refreshes their browser and a specified amount of time
has passed then they are directed to re-login.
However, if the user closes their browser, I need to be able to clean
out the database of currently logged on users. I can't do this if the
user doesn't refresh their browser.
release a session based upon a last response time


Ultimately, this is what I am trying to do, and also delete this user
from the list of currently online users. Can this be done once the user
has left the page or is there a better way to acheive this?

Thanks again for the replies.

Feb 19 '06 #6
You can remove the inactive user when any user load their page. For
each page, simply call a function 'refresh' that does:

function refresh() {
// remove all inactives user
DELETE FROM session WHERE last_heard_of > 15 minutes
// Verify that the current user is still active
SELECT * FROM session WHERE user=xxx
// refresh the current user if still active
UPDATE session SET last_heard_of = now WHERE user= xxx
}

That's a simple way to clean your database.

Feb 20 '06 #7
"Dikkie Dik" <no****@nospam.org> wrote in message
news:a4***************************@news.versatel.n l...
actually, you can cleanup a session:

http://www.php.net/manual/en/functio...on-destroy.php

that's not the point here. The problem is how to detect when a user leaves
the website. If I just close the browser, how's the script gonna know when
to session_destroy()? Between two page requests the server has no idea what
the user is doing, did he leave to watch p0rn, did he close the browser, did
he close the entire computer. Not until he again requests a page. The
fundamental problem is when can the server safely assume that the user is
not returning to the site again... It's not about HOW TO destroy the
session, it's WHEN to destroy the session.

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu SirviŲ
sp**@outolempi.net | Gedoon-S @ IRCnet | rot13(xv***@bhgbyrzcv.arg)
Feb 20 '06 #8
d
"Richard Levasseur" <ri********@gmail.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
No, you can't because of the stateless nature of http.
Though, you might be able to embed some sort of java applet that sent a
message when it unloaded from a page refresh/change. That might be
more work than its worth, though.


You can use javascript to handle that. You can have a function fire when
the page is being unloaded, and have that destroy the session.
Feb 20 '06 #9
d wrote:
"Richard Levasseur" <ri********@gmail.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
No, you can't because of the stateless nature of http.
Though, you might be able to embed some sort of java applet that sent a
message when it unloaded from a page refresh/change. That might be
more work than its worth, though.

You can use javascript to handle that. You can have a function fire when
the page is being unloaded, and have that destroy the session.


If the user has javascript enabled and the connection is still active.

I wouldn't depend on it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Feb 20 '06 #10
On 2006-02-19, Mickey <mi************@gmail.com> wrote:
Thanks to all for the replies.
Now, if you keep the 'last heard from' timestamp in a database, you may
release a session based upon a last response time (i.e. fifteen minutes)
without having to hear from the browser at all. (i.e. no cookie exchange
is required) Its not the same as detecting that they have gone elsewhere
but is probably the best you can do.
This is interesting.
Currently I am storing the 'last heard from' timestamp in a database
and if the user refreshes their browser and a specified amount of time
has passed then they are directed to re-login.
However, if the user closes their browser, I need to be able to clean
out the database of currently logged on users. I can't do this if the
user doesn't refresh their browser.


why can't you? all that's needed is

delete from sessions where last_access < now - INTERVAL '0:15:00';

or similar.
Ultimately, this is what I am trying to do, and also delete this user
from the list of currently online users. Can this be done once the user
has left the page or is there a better way to acheive this?


it's hard to determine when a user leaves.

Bye.
Jasen
Feb 20 '06 #11

Jasen Betts wrote:
On 2006-02-19, Mickey <mi************@gmail.com> wrote:
Thanks to all for the replies.
Now, if you keep the 'last heard from' timestamp in a database, you may
release a session based upon a last response time (i.e. fifteen minutes)
without having to hear from the browser at all. (i.e. no cookie exchange
is required) Its not the same as detecting that they have gone elsewhere
but is probably the best you can do.


This is interesting.
Currently I am storing the 'last heard from' timestamp in a database
and if the user refreshes their browser and a specified amount of time
has passed then they are directed to re-login.
However, if the user closes their browser, I need to be able to clean
out the database of currently logged on users. I can't do this if the
user doesn't refresh their browser.


why can't you? all that's needed is

delete from sessions where last_access < now - INTERVAL '0:15:00';

or similar.


The problem is he can't be notified - for sure - when they leave his
website, so he doesn't know when, exactly, to run that query. Deleting
old session every page hit would catch 15 minute time outs immediately,
but not the instance of if they close their browser/leave his website
(as you say below). Additionally, if no one hit the page the database
wouldn't be updated (which may or may not be important, can't tell from
what he's said so far). Then, eventually, though unlikely, all 5
logins would fill up and the user would be locked out until one of
those sessions timed out.
Ultimately, this is what I am trying to do, and also delete this user
from the list of currently online users. Can this be done once the user
has left the page or is there a better way to acheive this?


it's hard to determine when a user leaves.

Bye.
Jasen


Agreed. Again, because of the nature of HTTP, you generally will not
know when they run leave your server (thats the worst thing about
webdev, absolutely no client - server trust :( ).

Another alternative to using javascript/java to maintain a heartbeat
back to your server would be to have a cron-job run every few minutes
and run the above query to update the database. You don't have the
advantage of immediate update on every page hit, but then again you
don't have the load of updating the database every page hit.

Generally, imo, i just allow a single session for a user, as multiple
tabs/dervied windows are the same session, using timeouts for when a
record needs to be locked for editing by a single user.

I believe there was another thread on a topic similar to this, and,
iirc, one proposed solution was to keep track of the previously logged
in session ID, and on new log ins, delete the old session and set the
old id as the new id (in fact, i think i made the post on that, i can't
recall exactly). This concept could easily be extended to allow some
arbitrary amount of session for a simultaneous login limit.

Feb 20 '06 #12
On 2006-02-20, Kimmo Laine <sp**@outolempi.net> wrote:
"Dikkie Dik" <no****@nospam.org> wrote in message
news:a4***************************@news.versatel.n l...
actually, you can cleanup a session:

http://www.php.net/manual/en/functio...on-destroy.php

that's not the point here. The problem is how to detect when a user leaves
the website. If I just close the browser, how's the script gonna know when
to session_destroy()? Between two page requests the server has no idea what
the user is doing, did he leave to watch p0rn, did he close the browser, did
he close the entire computer. Not until he again requests a page. The
fundamental problem is when can the server safely assume that the user is
not returning to the site again... It's not about HOW TO destroy the
session, it's WHEN to destroy the session.


you have to tell it how to guess when.
while they are not requesting content from your site all you can know is what
they are not doing.

--

Bye.
Jasen
Feb 21 '06 #13
First off, thanks again for the replies.
I have solved this now the best I could.

In the end I was going to go for the Javascript onUnload option,
however it really didn't suit this application.
So instead, I decided to check everything at login.

To solve the problem of having a maximum (5) number of users
downloading at one time:
When a user logs in I query the users_online table. If there is 5
users then I check if any of them have been online for 30 minutes, if a
user has been online for 30 minutes then I delete this entry from the
users_online table and allow the next user to log in. When the user
over the 30 minutes limit tries to download another file they are
forced to re-login and wait in line.

This gives the effect of allowing 30 minutes for each user to download
at once while keeping a consistant queue for all members.

This seemed to be the best solution in my case.

Thanks again for all the help and suggestion.

Feb 21 '06 #14

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

15 posts views Thread by Joshua Beall | last post: by
8 posts views Thread by Harlin Seritt | last post: by
3 posts views Thread by Dan Walls | last post: by
9 posts views Thread by Laurent Bugnion | last post: by
25 posts views Thread by crescent_au | last post: by
3 posts views Thread by kpg* | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.