How do I track web-based Logins and Logouts?

Question

I'm making modifications to a members-based site whose owner wants to be able to track time spent on site (login/logout) for all users in a DB backend. Login is easy; there's one point of entry (the login form) and as a result, logins can be thrown in the database as soon as they happen.

Logouts, however, are a bit trickier, as unless the user clicks 'logout' to explicitly let us know they're leaving the solution gets hairier (and how often do users really click logout?). One possibility (just in terms of tracking total time on the site) would be to register each pageload in the database and associate it with the user that loaded it; the problem with that is that the site is a membership-based video delivery site (not what you're thinking!) and their last pageview is likely going to be a twenty or thirty minute video. We need to capture that time spent on that last page, as well--not just the time it was loaded.

I've thought of two possible solutions, neither of which is all that elegant. The first would be to trap all 'unload' events via javascript and register a call to 'logout.php' (this assuming the XMLHttpRequest or whatever doesn't die as soon as the page is unloaded); the problem there is that internal links also register as unload events, so clicking any link would log the user out (you could to check a flag in the 'unload' handler, and have all internal links set that flag--not hard to do dynamically, but a bit kludgy). The other approach would involve setting an interval to ping the DB every 60 s or so, which lets us know that the user is still on the site, and then doing some math when pulling the user's history to figure out the total length of that session; that also seems kind of hackish. Also, neither of these solutions work for users with JS disabled.

It seems that this problem isn't that unusual, and there's got to be a better way; is there a best-practices approach to solving this? If not, do you see any way to improve either of these solutions?

Answer 1

I've had good success with using timer in javascript to ping the server. In my case the site requires javascript so this is not an issue. I also use this mechanism to perform a check which prevents a single account from being logged in from two different machines so there is more compelling reasons to do this hack.

One thing to keep in mind with unload is your still not guarenteed that the unload event will always be fired. You will have people on laptops who for example just close the laptop, so the timer approach will probally be a bit more accurate.

Answer 2

The web is not built to allow accurate tracking of logout events. You just aren't guaranteed to get notice from the browser when the user quits, so under normal circumstances the best you can hope for is to trap the session timeout event, and that event might not fire until 20 minutes after the user abandoned the page.

Now you could improve on this a little by putting an ajax request in a timer on each page (perhaps once or twice per minute) to provide a "heartbeat", but this has some caveats as well: You need to make sure the session will still eventually time out and you still aren't guaranteed that the user won't block these requests, perhaps by disabling javascript.