How and when to log account access login with PHP?

Question

I want to implement a basic login system in some PHP app where no cookies will be involved. I mean, the user closes the browser and the login expires, it will remain active during the browser session (or if the user explicitly logs out) otherwise.

I want to log all this activity and I'm thinking that every time the user refreshes the page, opens a different link or logs out, I record that time as the last access made by that user, overwriting the previous access log.

But my problem is when and how should I insert another record into the database instead of overwriting the last one?

Should I just define a timeout and if the last access was made above that timeout, another log should be inserted into the database? Should the session expire too after that timeout?

Or is there a better way?

Ideally, I would like to log the "log out action" when the browser was closed, but I don't think there's a way to detect that is there?

Suggestions?

Answer 1

Revising my answer here a bit because you already mentioned the server side timeout….

The only thing you can do client side is to use the onbeforeunload event to call the logout page (if the user did not click a link in the document..)

Unfortunately, the browser back, forward, and refresh buttons will cause a logout...
To get around that, have your logout.php (auto logout page) sleep for 20-30 seconds and then check to see if the last impression was under 30-45 seconds ago before logging them out…

Just add this to script tags in the head of your document and change the ‘logout.php’ to whatever you want… * You may also need to edit the window.onload function to correctly add the onclick handlers if you use something other than links to navigate….

    var xmlhttp=false; var target; var combo;
/*@cc_on @*/
/*@if (@_jscript_version >= 5)
try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); } catch (E) { xmlhttp = false; } }
@end @*/
if (!xmlhttp && typeof XMLHttpRequest!='undefined') { 
    xmlhttp = new XMLHttpRequest(); 
}
var dologout = true;
var logouturl = 'logout.php';
window.onbeforeunload = function() { 
    if (dologout) {
        xmlhttp.open("POST", logouturl, true); 
        xmlhttp.send(null); 
    }
}
window.onload = function() { 
    for (i=0;i<document.links.length;i++) 
    document.links[i].setAttribute("onclick","dologout = false;"); 
}

Essentially this just attaches an onclick event to all document.links and changes the 'dologout' flag to false if a document link was clicked...

If the dologout flag is true when the onbeforeunload event fires, it sends a post to the 'logouturl' / 'logout.php' ...

Answer 2

The real problem here is another. Why do you need this? I mean. It seems to me very easy:

1. You take all your website page and add at the firsts lines something like session::recordAction() and inside that method you connect to the database and record the timestamp coming from time() which is a native function. It doesn't really matter where you are going to place that field in the database since it's based on your design preferences and schema.

2. When you want to know if a user had been online in the last, let's say, 10 minutes you can compare the 2 timestamps (the one you recorded in the database and time()) and say something like:

   if (session::getLastAction() < 10 * $minute) { /* Do some cool stuff here */ }

3. If you are recording action log due to recover them in case of security issues or something, you have to remember that that timestamp means the last time a user refreshed a page. And in this case i'd suggest you to use a .txt file to record them and to record also the i.p. and all the datas you can recover from that user. So you are not overusing database for no reasons.

If you are building this system for others purpose just tell me and i'll let you know how to solve all your problems with this way.

Tips

Remember that pretty nobody actually really press the logout button, they just leave the website. And if they are leaving the website there's no way to actually know that. The fact is that they are not requesting page to the server and it could happens if 1. They have left the website or 2. if they are reading the webpage and didn't refreshed.

Notice

If i didn't got it wrong you are looking for some way to make a login system and you were concerned about cookies:

• Cookies expires (by default, using setcookie()) after the browser is closed. You can delete them by setting a past timestamp and you can make them live forever setting a very long date. They are very usefull and are still used by a lot of people.
• Sessions expires after 24 or 22 minutes of inactivity (not sure, google it).

I hope i was understandable, if not just ask for clarifications. :)

Answer 3

There is no way to trigger an action that will be of value to you when the browser is closed. http://www.webdeveloper.com/forum/showthread.php?t=93810 at this link a user asked a similar question and the problem that he had and I suspect you will have is that every time a user leaves a web page it is considered like they are leaving the site and so this will interfere with you your logging activities. I would just use cookies and make them expire often. Log a users action every time they perform some useful action on your site, ie.. clicking on a link and focus less on how much time they are spending just reading content.