Forced user logout / Cancel sessions and cleanup

Re: Forced user logout / Cancel sessions and cleanup

No, you can't because of the stateless nature of http.
Though, you might be able to embed some sort of java applet that sent a
message when it unloaded from a page refresh/change. That might be
more work than its worth, though.

Re: Forced user logout / Cancel sessions and cleanup

actually, you can cleanup a session:




Richard Levasseur wrote:[color=blue]
> No, you can't because of the stateless nature of http.
> Though, you might be able to embed some sort of java applet that sent a
> message when it unloaded from a page refresh/change. That might be
> more work than its worth, though.
>[/color]

Re: Forced user logout / Cancel sessions and cleanup

Mickey wrote:[color=blue]
> Hi all,
>
> Currently I use a timestamp to log users out after 15 minutes of
> inactivity.
> However I also need to log a user out if they have just left the page.
> I need to do this because I store current online users in a database,
> allowing a maximum of 5 users at one time.
>
> I have been looking through the php manual and came across
> session_cache_e xpire(). This isn't doing what I need either. Am I
> going in the wrong direction with this?
>
> Basically my question is, is there a way to log a user out (and clear
> my user_online database) if they just leave the page?
>
> Thanks in advance for any suggestions.
>[/color]
The short answer is 'no'.

If a user goes to another page via the browser, then there is no
conversation with your server. So there is no way for your server to
know that the user has left.

Think of it as if your server is receiving mail. You know when you get a
letter, you can tell the time since you last got a letter and you can
reply to a letter, but there is no way to know that the user has also
written a letter to someone else.

Now, if you keep the 'last heard from' timestamp in a database, you may
release a session based upon a last response time (i.e. fifteen minutes)
without having to hear from the browser at all. (i.e. no cookie exchange
is required) Its not the same as detecting that they have gone elsewhere
but is probably the best you can do.

-david-

Re: Forced user logout / Cancel sessions and cleanup

Using JavaScript, you could use the onunload event of the body to
contact the server to log out. However, that would also log a user out
if he requests another page of the server.
Or, you could keep refreshing a subframe as a "live" signal.


Mickey wrote:[color=blue]
> Hi all,
>
> Currently I use a timestamp to log users out after 15 minutes of
> inactivity.
> However I also need to log a user out if they have just left the page.
> I need to do this because I store current online users in a database,
> allowing a maximum of 5 users at one time.
>
> I have been looking through the php manual and came across
> session_cache_e xpire(). This isn't doing what I need either. Am I
> going in the wrong direction with this?
>
> Basically my question is, is there a way to log a user out (and clear
> my user_online database) if they just leave the page?
>
> Thanks in advance for any suggestions.
>[/color]

Re: Forced user logout / Cancel sessions and cleanup

Thanks to all for the replies.
[color=blue]
> Now, if you keep the 'last heard from' timestamp in a database, you may
> release a session based upon a last response time (i.e. fifteen minutes)
> without having to hear from the browser at all. (i.e. no cookie exchange
> is required) Its not the same as detecting that they have gone elsewhere
> but is probably the best you can do.[/color]

This is interesting.
Currently I am storing the 'last heard from' timestamp in a database
and if the user refreshes their browser and a specified amount of time
has passed then they are directed to re-login.
However, if the user closes their browser, I need to be able to clean
out the database of currently logged on users. I can't do this if the
user doesn't refresh their browser.
[color=blue]
> release a session based upon a last response time[/color]

Ultimately, this is what I am trying to do, and also delete this user
from the list of currently online users. Can this be done once the user
has left the page or is there a better way to acheive this?

Thanks again for the replies.

Re: Forced user logout / Cancel sessions and cleanup

You can remove the inactive user when any user load their page. For
each page, simply call a function 'refresh' that does:

function refresh() {
// remove all inactives user
DELETE FROM session WHERE last_heard_of > 15 minutes
// Verify that the current user is still active
SELECT * FROM session WHERE user=xxx
// refresh the current user if still active
UPDATE session SET last_heard_of = now WHERE user= xxx
}

That's a simple way to clean your database.

Re: Forced user logout / Cancel sessions and cleanup

"Dikkie Dik" <nospam@nospam. org> wrote in message
news:a41c3$43f8 c417$57d40752$1 3847@news.versa tel.nl...[color=blue]
> actually, you can cleanup a session:
>
> http://www.php.net/manual/en/functio...on-destroy.php
>[/color]


that's not the point here. The problem is how to detect when a user leaves
the website. If I just close the browser, how's the script gonna know when
to session_destroy ()? Between two page requests the server has no idea what
the user is doing, did he leave to watch p0rn, did he close the browser, did
he close the entire computer. Not until he again requests a page. The
fundamental problem is when can the server safely assume that the user is
not returning to the site again... It's not about HOW TO destroy the
session, it's WHEN to destroy the session.

--
"En ole paha ihminen, mutta omenat ovat elinkeinoni." -Perttu Sirviö
spam@outolempi. net | Gedoon-S @ IRCnet | rot13(xvzzb@bhg byrzcv.arg)

Re: Forced user logout / Cancel sessions and cleanup

"Richard Levasseur" <richardlev@gma il.com> wrote in message
news:1140374153 .425427.323740@ f14g2000cwb.goo glegroups.com.. .[color=blue]
> No, you can't because of the stateless nature of http.
> Though, you might be able to embed some sort of java applet that sent a
> message when it unloaded from a page refresh/change. That might be
> more work than its worth, though.[/color]

You can use javascript to handle that. You can have a function fire when
the page is being unloaded, and have that destroy the session.

Re: Forced user logout / Cancel sessions and cleanup

d wrote:[color=blue]
> "Richard Levasseur" <richardlev@gma il.com> wrote in message
> news:1140374153 .425427.323740@ f14g2000cwb.goo glegroups.com.. .
>[color=green]
>>No, you can't because of the stateless nature of http.
>>Though, you might be able to embed some sort of java applet that sent a
>>message when it unloaded from a page refresh/change. That might be
>>more work than its worth, though.[/color]
>
>
> You can use javascript to handle that. You can have a function fire when
> the page is being unloaded, and have that destroy the session.
>
>[/color]

If the user has javascript enabled and the connection is still active.

I wouldn't depend on it.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: Forced user logout / Cancel sessions and cleanup

On 2006-02-19, Mickey <mickey.allroid @gmail.com> wrote:[color=blue]
> Thanks to all for the replies.
>[color=green]
>> Now, if you keep the 'last heard from' timestamp in a database, you may
>> release a session based upon a last response time (i.e. fifteen minutes)
>> without having to hear from the browser at all. (i.e. no cookie exchange
>> is required) Its not the same as detecting that they have gone elsewhere
>> but is probably the best you can do.[/color]
>
> This is interesting.
> Currently I am storing the 'last heard from' timestamp in a database
> and if the user refreshes their browser and a specified amount of time
> has passed then they are directed to re-login.
> However, if the user closes their browser, I need to be able to clean
> out the database of currently logged on users. I can't do this if the
> user doesn't refresh their browser.[/color]

why can't you? all that's needed is

delete from sessions where last_access < now - INTERVAL '0:15:00';

or similar.
[color=blue]
> Ultimately, this is what I am trying to do, and also delete this user
> from the list of currently online users. Can this be done once the user
> has left the page or is there a better way to acheive this?[/color]

it's hard to determine when a user leaves.

Bye.
Jasen

Re: Forced user logout / Cancel sessions and cleanup


Jasen Betts wrote:[color=blue]
> On 2006-02-19, Mickey <mickey.allroid @gmail.com> wrote:[color=green]
> > Thanks to all for the replies.
> >[color=darkred]
> >> Now, if you keep the 'last heard from' timestamp in a database, you may
> >> release a session based upon a last response time (i.e. fifteen minutes)
> >> without having to hear from the browser at all. (i.e. no cookie exchange
> >> is required) Its not the same as detecting that they have gone elsewhere
> >> but is probably the best you can do.[/color]
> >
> > This is interesting.
> > Currently I am storing the 'last heard from' timestamp in a database
> > and if the user refreshes their browser and a specified amount of time
> > has passed then they are directed to re-login.
> > However, if the user closes their browser, I need to be able to clean
> > out the database of currently logged on users. I can't do this if the
> > user doesn't refresh their browser.[/color]
>
> why can't you? all that's needed is
>
> delete from sessions where last_access < now - INTERVAL '0:15:00';
>
> or similar.
>[/color]

The problem is he can't be notified - for sure - when they leave his
website, so he doesn't know when, exactly, to run that query. Deleting
old session every page hit would catch 15 minute time outs immediately,
but not the instance of if they close their browser/leave his website
(as you say below). Additionally, if no one hit the page the database
wouldn't be updated (which may or may not be important, can't tell from
what he's said so far). Then, eventually, though unlikely, all 5
logins would fill up and the user would be locked out until one of
those sessions timed out.
[color=blue][color=green]
> > Ultimately, this is what I am trying to do, and also delete this user
> > from the list of currently online users. Can this be done once the user
> > has left the page or is there a better way to acheive this?[/color]
>
> it's hard to determine when a user leaves.
>
> Bye.
> Jasen[/color]

Agreed. Again, because of the nature of HTTP, you generally will not
know when they run leave your server (thats the worst thing about
webdev, absolutely no client - server trust :( ).

Another alternative to using javascript/java to maintain a heartbeat
back to your server would be to have a cron-job run every few minutes
and run the above query to update the database. You don't have the
advantage of immediate update on every page hit, but then again you
don't have the load of updating the database every page hit.

Generally, imo, i just allow a single session for a user, as multiple
tabs/dervied windows are the same session, using timeouts for when a
record needs to be locked for editing by a single user.

I believe there was another thread on a topic similar to this, and,
iirc, one proposed solution was to keep track of the previously logged
in session ID, and on new log ins, delete the old session and set the
old id as the new id (in fact, i think i made the post on that, i can't
recall exactly). This concept could easily be extended to allow some
arbitrary amount of session for a simultaneous login limit.

Re: Forced user logout / Cancel sessions and cleanup

On 2006-02-20, Kimmo Laine <spam@outolempi .net> wrote:[color=blue]
> "Dikkie Dik" <nospam@nospam. org> wrote in message
> news:a41c3$43f8 c417$57d40752$1 3847@news.versa tel.nl...[color=green]
>> actually, you can cleanup a session:
>>
>> http://www.php.net/manual/en/functio...on-destroy.php
>>[/color]
>
>
> that's not the point here. The problem is how to detect when a user leaves
> the website. If I just close the browser, how's the script gonna know when
> to session_destroy ()? Between two page requests the server has no idea what
> the user is doing, did he leave to watch p0rn, did he close the browser, did
> he close the entire computer. Not until he again requests a page. The
> fundamental problem is when can the server safely assume that the user is
> not returning to the site again... It's not about HOW TO destroy the
> session, it's WHEN to destroy the session.[/color]

you have to tell it how to guess when.
while they are not requesting content from your site all you can know is what
they are not doing.



--

Bye.
Jasen

Re: Forced user logout / Cancel sessions and cleanup

First off, thanks again for the replies.
I have solved this now the best I could.

In the end I was going to go for the Javascript onUnload option,
however it really didn't suit this application.
So instead, I decided to check everything at login.

To solve the problem of having a maximum (5) number of users
downloading at one time:
When a user logs in I query the users_online table. If there is 5
users then I check if any of them have been online for 30 minutes, if a
user has been online for 30 minutes then I delete this entry from the
users_online table and allow the next user to log in. When the user
over the 30 minutes limit tries to download another file they are
forced to re-login and wait in line.

This gives the effect of allowing 30 minutes for each user to download
at once while keeping a consistant queue for all members.

This seemed to be the best solution in my case.

Thanks again for all the help and suggestion.