2

I am working on implementing a "presence" feature on a website built on a classic asp (vbscript), SQL Server, javascript, IIS7 stack.

The existing authentication/log in system uses sessions, with a default 20 minute session timeout. The user data is stored in a SQL Server table. A cookie is also set when a user logs in, which enables tracking of registered users even when not logged in.

There is a column in the USERS table which holds the state e.g. "online" or "offline". The following is the logic I've come up with thus far:

Status is set to "online" when:

  1. user logs in
  2. a cookie is detected e.g. user returns but doesn't yet log in

Status set to "offline" when:

  1. user logs out
  2. user closes browser (use a javascript event to detect)
  3. user navigates away from the site (not sure yet how best to detect this)
  4. users session expires (handled in global.asa's Session_OnEnd subroutine)

Questions:

  1. Am I overlooking anything in the logic presented above?
  2. What is the best way (within js / classic asp) to detect items 2 and 3 above in the "when to set status to 'offline'" list

Thanks

GWR
  • 1,878
  • 4
  • 26
  • 44
  • 1
    IMHO, the best way to handle 2 and 3 is to have the client send a ping every x seconds, update last access time in DB, then have a logout function on the server side that looks for non-access within x amount of time, and update flag. – Gary Dec 21 '15 at 15:46
  • @Gary - correct me if I am misunderstanding, but wouldn't those automatic pings make it seem like there is activity from the client when there may not be? – GWR Dec 21 '15 at 15:56
  • Depends what you want to detect, if their client browser is open and they are on the site are they classed as online? – user692942 Dec 21 '15 at 17:13
  • @lankymart - I get what you are saying - I guess I think of the auto-ping solution as something that would perpetually keep the session alive, which is not what I want to do – GWR Dec 22 '15 at 00:05
  • A ping is the only way that you will be 100% sure that the user is still there. Think of example where a user just shuts off the machine. You will not know that they are gone until 20 minute timeout expires. If you set your ping for 60 seconds, you will know very quickly is a user disappears. – Gary Dec 22 '15 at 13:46

2 Answers2

2

With 2 and 3 there are js restrictions as to what you can do when js detects a potential leaving of the page. I think all you can do is to show a message before they leave. This means you wont be able to run any js as they are leaving.

Best way to detect when a user leaves a web page?

As Gary said probably the most effective way is to use some ajax to ping a script on the server to update a LastTimeOnline field in your db.

Another way is to use the Session_OnEnd but this may give a false figure as a user could be online for 5 secs which would trigger a 20 minute session.

Best to do the ping really.

All the other logic you have there seems fine.

Just spotted your other comment. Yes if someone leaves their browser open at the page then potentially this could be pinging all day. But then they maybe online so you'd have no choice but to presume that a session is active really. You could always add a bit of js that detects clicks and scrolling to determine activity.

Community
  • 1
  • 1
Amos Fox
  • 308
  • 1
  • 10
  • This - You could always add a bit of js that detects clicks and scrolling to determine activity. – Gary Dec 21 '15 at 17:02
  • The other problem with `Session_OnEnd` is Application Pool Recycle settings can give erroneous results depending on how the Application Pool is configured almost making the `Session.Timeout` pointless. – user692942 Dec 21 '15 at 17:19
2

IMHO, the best way to handle 2 and 3 is to have the client send a ping every x seconds, update last access time in DB, then have a logout function on the server side that looks for non-access within x amount of time, and update flag.

These automatic pings will make it seem like there is activity from the client when there may not be, and in this case add some events that capture mouse and keyboard activity. If they stop for some period of time, stop sending pings. Restart pings when activity resumes.

A ping is the only way that you will be 100% sure that the user is still there. Think of example where a user just shuts off the machine. You will not know that they are gone until 20 minute timeout expires. If you set your ping for 60 seconds, you will know very quickly is a user disappears.

Gary
  • 2,866
  • 1
  • 17
  • 20