Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Forced user logout / Cancel sessions and cleanup

10 views
Skip to first unread message

Mickey

unread,
Feb 19, 2006, 11:22:37 AM2/19/06
to
Hi all,

Currently I use a timestamp to log users out after 15 minutes of
inactivity.
However I also need to log a user out if they have just left the page.
I need to do this because I store current online users in a database,
allowing a maximum of 5 users at one time.

I have been looking through the php manual and came across
session_cache_expire(). This isn't doing what I need either. Am I
going in the wrong direction with this?

Basically my question is, is there a way to log a user out (and clear
my user_online database) if they just leave the page?

Thanks in advance for any suggestions.

Richard Levasseur

unread,
Feb 19, 2006, 2:02:12 PM2/19/06
to
No, you can't because of the stateless nature of http.
Though, you might be able to embed some sort of java applet that sent a
message when it unloaded from a page refresh/change. That might be
more work than its worth, though.

Dikkie Dik

unread,
Feb 19, 2006, 2:16:25 PM2/19/06
to
actually, you can cleanup a session:

http://www.php.net/manual/en/function.session-destroy.php

David Haynes

unread,
Feb 19, 2006, 2:17:02 PM2/19/06
to
The short answer is 'no'.

If a user goes to another page via the browser, then there is no
conversation with your server. So there is no way for your server to
know that the user has left.

Think of it as if your server is receiving mail. You know when you get a
letter, you can tell the time since you last got a letter and you can
reply to a letter, but there is no way to know that the user has also
written a letter to someone else.

Now, if you keep the 'last heard from' timestamp in a database, you may
release a session based upon a last response time (i.e. fifteen minutes)
without having to hear from the browser at all. (i.e. no cookie exchange
is required) Its not the same as detecting that they have gone elsewhere
but is probably the best you can do.

-david-

Dikkie Dik

unread,
Feb 19, 2006, 2:32:53 PM2/19/06
to
Using JavaScript, you could use the onunload event of the body to
contact the server to log out. However, that would also log a user out
if he requests another page of the server.
Or, you could keep refreshing a subframe as a "live" signal.

Mickey

unread,
Feb 19, 2006, 3:31:54 PM2/19/06
to
Thanks to all for the replies.

> Now, if you keep the 'last heard from' timestamp in a database, you may
> release a session based upon a last response time (i.e. fifteen minutes)
> without having to hear from the browser at all. (i.e. no cookie exchange
> is required) Its not the same as detecting that they have gone elsewhere
> but is probably the best you can do.

This is interesting.
Currently I am storing the 'last heard from' timestamp in a database
and if the user refreshes their browser and a specified amount of time
has passed then they are directed to re-login.
However, if the user closes their browser, I need to be able to clean
out the database of currently logged on users. I can't do this if the
user doesn't refresh their browser.

> release a session based upon a last response time

Ultimately, this is what I am trying to do, and also delete this user
from the list of currently online users. Can this be done once the user
has left the page or is there a better way to acheive this?

Thanks again for the replies.

pmo...@gmail.com

unread,
Feb 20, 2006, 4:19:29 AM2/20/06
to
You can remove the inactive user when any user load their page. For
each page, simply call a function 'refresh' that does:

function refresh() {
// remove all inactives user
DELETE FROM session WHERE last_heard_of > 15 minutes
// Verify that the current user is still active
SELECT * FROM session WHERE user=xxx
// refresh the current user if still active
UPDATE session SET last_heard_of = now WHERE user= xxx
}

That's a simple way to clean your database.

Kimmo Laine

unread,
Feb 20, 2006, 5:51:57 AM2/20/06
to
"Dikkie Dik" <nos...@nospam.org> wrote in message
news:a41c3$43f8c417$57d40752$13...@news.versatel.nl...

> actually, you can cleanup a session:
>
> http://www.php.net/manual/en/function.session-destroy.php
>


that's not the point here. The problem is how to detect when a user leaves
the website. If I just close the browser, how's the script gonna know when
to session_destroy()? Between two page requests the server has no idea what
the user is doing, did he leave to watch p0rn, did he close the browser, did
he close the entire computer. Not until he again requests a page. The
fundamental problem is when can the server safely assume that the user is
not returning to the site again... It's not about HOW TO destroy the
session, it's WHEN to destroy the session.

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
sp...@outolempi.net | Gedoon-S @ IRCnet | rot13(xv...@bhgbyrzcv.arg)


d

unread,
Feb 20, 2006, 7:16:19 AM2/20/06
to
"Richard Levasseur" <richa...@gmail.com> wrote in message
news:1140374153.4...@f14g2000cwb.googlegroups.com...

You can use javascript to handle that. You can have a function fire when
the page is being unloaded, and have that destroy the session.


Jerry Stuckle

unread,
Feb 20, 2006, 9:14:28 AM2/20/06
to

If the user has javascript enabled and the connection is still active.

I wouldn't depend on it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================

Jasen Betts

unread,
Feb 20, 2006, 2:56:13 AM2/20/06
to
On 2006-02-19, Mickey <mickey....@gmail.com> wrote:
> Thanks to all for the replies.
>
>> Now, if you keep the 'last heard from' timestamp in a database, you may
>> release a session based upon a last response time (i.e. fifteen minutes)
>> without having to hear from the browser at all. (i.e. no cookie exchange
>> is required) Its not the same as detecting that they have gone elsewhere
>> but is probably the best you can do.
>
> This is interesting.
> Currently I am storing the 'last heard from' timestamp in a database
> and if the user refreshes their browser and a specified amount of time
> has passed then they are directed to re-login.
> However, if the user closes their browser, I need to be able to clean
> out the database of currently logged on users. I can't do this if the
> user doesn't refresh their browser.

why can't you? all that's needed is

delete from sessions where last_access < now - INTERVAL '0:15:00';

or similar.

> Ultimately, this is what I am trying to do, and also delete this user
> from the list of currently online users. Can this be done once the user
> has left the page or is there a better way to acheive this?

it's hard to determine when a user leaves.

Bye.
Jasen

Richard Levasseur

unread,
Feb 20, 2006, 2:15:17 PM2/20/06
to

Jasen Betts wrote:
> On 2006-02-19, Mickey <mickey....@gmail.com> wrote:
> > Thanks to all for the replies.
> >
> >> Now, if you keep the 'last heard from' timestamp in a database, you may
> >> release a session based upon a last response time (i.e. fifteen minutes)
> >> without having to hear from the browser at all. (i.e. no cookie exchange
> >> is required) Its not the same as detecting that they have gone elsewhere
> >> but is probably the best you can do.
> >
> > This is interesting.
> > Currently I am storing the 'last heard from' timestamp in a database
> > and if the user refreshes their browser and a specified amount of time
> > has passed then they are directed to re-login.
> > However, if the user closes their browser, I need to be able to clean
> > out the database of currently logged on users. I can't do this if the
> > user doesn't refresh their browser.
>
> why can't you? all that's needed is
>
> delete from sessions where last_access < now - INTERVAL '0:15:00';
>
> or similar.
>

The problem is he can't be notified - for sure - when they leave his
website, so he doesn't know when, exactly, to run that query. Deleting
old session every page hit would catch 15 minute time outs immediately,
but not the instance of if they close their browser/leave his website
(as you say below). Additionally, if no one hit the page the database
wouldn't be updated (which may or may not be important, can't tell from
what he's said so far). Then, eventually, though unlikely, all 5
logins would fill up and the user would be locked out until one of
those sessions timed out.

> > Ultimately, this is what I am trying to do, and also delete this user
> > from the list of currently online users. Can this be done once the user
> > has left the page or is there a better way to acheive this?
>
> it's hard to determine when a user leaves.
>
> Bye.
> Jasen

Agreed. Again, because of the nature of HTTP, you generally will not
know when they run leave your server (thats the worst thing about
webdev, absolutely no client - server trust :( ).

Another alternative to using javascript/java to maintain a heartbeat
back to your server would be to have a cron-job run every few minutes
and run the above query to update the database. You don't have the
advantage of immediate update on every page hit, but then again you
don't have the load of updating the database every page hit.

Generally, imo, i just allow a single session for a user, as multiple
tabs/dervied windows are the same session, using timeouts for when a
record needs to be locked for editing by a single user.

I believe there was another thread on a topic similar to this, and,
iirc, one proposed solution was to keep track of the previously logged
in session ID, and on new log ins, delete the old session and set the
old id as the new id (in fact, i think i made the post on that, i can't
recall exactly). This concept could easily be extended to allow some
arbitrary amount of session for a simultaneous login limit.

Jasen Betts

unread,
Feb 20, 2006, 2:14:09 PM2/20/06
to
On 2006-02-20, Kimmo Laine <sp...@outolempi.net> wrote:
> "Dikkie Dik" <nos...@nospam.org> wrote in message
> news:a41c3$43f8c417$57d40752$13...@news.versatel.nl...
>> actually, you can cleanup a session:
>>
>> http://www.php.net/manual/en/function.session-destroy.php
>>
>
>
> that's not the point here. The problem is how to detect when a user leaves
> the website. If I just close the browser, how's the script gonna know when
> to session_destroy()? Between two page requests the server has no idea what
> the user is doing, did he leave to watch p0rn, did he close the browser, did
> he close the entire computer. Not until he again requests a page. The
> fundamental problem is when can the server safely assume that the user is
> not returning to the site again... It's not about HOW TO destroy the
> session, it's WHEN to destroy the session.

you have to tell it how to guess when.
while they are not requesting content from your site all you can know is what
they are not doing.

--

Bye.
Jasen

Mickey

unread,
Feb 21, 2006, 3:34:36 PM2/21/06
to
First off, thanks again for the replies.
I have solved this now the best I could.

In the end I was going to go for the Javascript onUnload option,
however it really didn't suit this application.
So instead, I decided to check everything at login.

To solve the problem of having a maximum (5) number of users
downloading at one time:
When a user logs in I query the users_online table. If there is 5
users then I check if any of them have been online for 30 minutes, if a
user has been online for 30 minutes then I delete this entry from the
users_online table and allow the next user to log in. When the user
over the 30 minutes limit tries to download another file they are
forced to re-login and wait in line.

This gives the effect of allowing 30 minutes for each user to download
at once while keeping a consistant queue for all members.

This seemed to be the best solution in my case.

Thanks again for all the help and suggestion.

0 new messages