"Andrew Urquhart" <ReplyVia_contact.
...@URLin.Sig> wrote in message
OK, how's about this? It's a bit long and possibly a bit waffly and I may
not have covered all aspects of the problem. E&OE. I have tested the script
snippet at the end and it worked fine in IE6 talking to ASP (JScript).
#################
How do I log-out a user when they leave my site?
This cannot be done reliably. Here's why:
1. A user may disable javascript, or may not have a javascript capability,
so the log-out script will never execute.
2. A user may not be connected to the Internet/Intranet when they close your
web page.
3. Javascript errors elsewhere in the page may prevent the script executing.
In such circumstances sessions may be abandoned by the user but may still be
active at the server. The user may not be able to log-in again whilst this
session remains active. Alternatively a malicious user may find such a
session and start using it.
OK, how should I do it then? Firstly realise that this must always be done
at the server - this is the only thing you have direct control over.
Secondly the solution needs to be invoked at the design stage of your
application. Design your application such that restricted access is
controlled by session information in a database table on the server. When a
user logs-in insert the user's session identifier (SessionID) into the table
along with the current server time plus the allowed duration of their
session, e.g. 15 minutes. A user's session is valid whilst their SessionID
can be found in the session table and their timestamp is greater or equal to
the current server time. Logged-out now simply means any user who's
SessionID cannot be found and/or who's timestamp is less than the current
server time. To maintain a session update the timestamp field with the
current server time plus session duration. No client-side "log-out" button
is required because log-out will occur when the user stops visiting
pages/stops having their session updated. Use a server-side script, program
or database trigger to remove expired sessions from the session table. To
log-out early delete the record matching the SessionID from the session
table.
However, provided you realise that client-side javascript cannot completely
take care of automatic log-out's, there are some things it can do to help.
When a user navigates to a page on a different server or closes their
browser you can, in some cases, use the <CODE>window.unload</CODE> event to
send some information to the server to trigger a log-out.
<PRE>
function aidLogout() {
var i = new Image();
i.src = "aidlogout.asp?uid=1562&SessionID=ABCDEFGHIJKLMNOP"
}
window.unload = aidLogout;
</PRE>
The unload event triggers a request to the server to fetch the image named
"aidlogout.asp?uid=1562&SessionID=ABCDEFGHIJKLMNOP". The "aidlogout.asp"
page performs the server-side log-out and returns an image content-type
specified but with no actual content. If the above script doesn't get called
by the browser when the user leaves then no problem - your server-side
solution will catch it automatically later on. However, if it does run then
you are a little bit more secure and you've freed up resources at your
server sooner.
#################
--
Andrew Urquhart
____________________
http://andrewu.co.uk
. o O (Currently seeking UK employment, see cvHTML.asp)
