locked
Managing logged in users of the site RRS feed

  • Question

  • User1987180197 posted

    I need to check the currently logged in users of the site. On Login i am setting the online status to true and on logout i am setting the status back to false. This worked good till normal logout process, but what about if the user closes the browser but still logged in.

    I am using forms authentication:

    <authentication mode="Forms">
    <forms name="AuthCookie" loginUrl="Login.aspx" defaultUrl="Default.aspx" timeout="1440" slidingExpiration="true" protection="All" path="/"/>
    </authentication>

    also on login:

    FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, UserName, DateTime.Now, DateTime.Now.AddMinutes(1440), false, Roles, FormsAuthentication.FormsCookiePath);
    
    string hashcookies = FormsAuthentication.Encrypt(ticket);
    HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hashcookies);
    cookie.Expires = ticket.Expiration;
    Response.Cookies.Add(cookie);

    So if the user closes the browser will he still login or not. If he is still login that means online status is still true, in that case how can i set the online status to false. I guess the user will automatically logout at certain given timeout if he dont open the site again. So how would i set the online status to false in this case ?


    Thursday, December 6, 2012 7:12 AM

Answers

  • User1779161005 posted

    I'd suggest changing your thinking about what "logged out" means. I'd use the concept of inactivity instead. In other words, if the user's not been active in 30 minutes then I'd consider them logged out. This addresses the scenarios where the user doesn't click your logout button and they just close the browser or just leave it open forever (yet their auth cookie times out).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, December 7, 2012 10:15 AM
  • User1779161005 posted

    You subtract the user's last activity time from the current time.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, December 9, 2012 11:39 PM
  • User1779161005 posted

    Yep sounds good. PostAUthenticateRequest is where I suggested that you write the code to update the last activity time since it's called on each request from the user.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 10, 2012 5:45 PM

All replies

  • User1779161005 posted

    I'd suggest changing your thinking about what "logged out" means. I'd use the concept of inactivity instead. In other words, if the user's not been active in 30 minutes then I'd consider them logged out. This addresses the scenarios where the user doesn't click your logout button and they just close the browser or just leave it open forever (yet their auth cookie times out).

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, December 7, 2012 10:15 AM
  • User1987180197 posted

    I'd suggest changing your thinking about what "logged out" means. I'd use the concept of inactivity instead.

    ok good point. got it.

    if the user's not been active in 30 minutes then I'd consider them logged out

    i also want the same but how can i change the online status in this case thats the question ?

    This addresses the scenarios where the user doesn't click your logout button and they just close the browser or just leave it open forever (yet their auth cookie times out).

    That is exactly what i want.

    Friday, December 7, 2012 1:23 PM
  • User1779161005 posted

    i also want the same but how can i change the online status in this case thats the question ?

    I think you should not keep a "logout" flag in the database and instead keep a last activity date/time. Then your logic of "who's logged in" is anyone that has been active in the past X minutes. Or maybe I'm not understanding your question here.

    Friday, December 7, 2012 1:48 PM
  • User1987180197 posted

    I think you should not keep a "logout" flag in the database and instead keep a last activity date/time.

    ok thanks its looking better approach.

    Then your logic of "who's logged in" is anyone that has been active in the past X minutes

    Thats the hard part... can you provide some sample for that ?

    Or maybe I'm not understanding your question here.

    No you are right i need to change my approach about logout.

    Thanks

    Friday, December 7, 2012 11:13 PM
  • User1779161005 posted

    Thats the hard part... can you provide some sample for that ?

    You need to implement Application_PostAuthenticationRequest in global.asax to log the current DateTime.Now for User.Identity.Name.

    Friday, December 7, 2012 11:54 PM
  • User1987180197 posted

    You need to implement Application_PostAuthenticationRequest in global.asax to log the current DateTime.Now for User.Identity.Name.

    Thanks but i am not proficient with handling these security events. What i need is step by step guide to implement this process.

    Any refernce link will be helpful.

    Thanks 

    Saturday, December 8, 2012 6:42 AM
  • User1779161005 posted

    http://msdn.microsoft.com/en-us/library/4wt3wttw.aspx

    http://msdn.microsoft.com/en-us/magazine/cc301362.aspx

    http://msdn.microsoft.com/en-us/magazine/cc188942.aspx

    Saturday, December 8, 2012 9:37 AM
  • User1987180197 posted

    http://msdn.microsoft.com/en-us/library/4wt3wttw.aspx

    http://msdn.microsoft.com/en-us/magazine/cc301362.aspx

    http://msdn.microsoft.com/en-us/magazine/cc188942.aspx

    Thanks Brock, while these links not solves my current reqquirement but taught me very important concepts specially http pipline.

    Saturday, December 8, 2012 11:50 AM
  • User1779161005 posted

    Right, so now that you know about the pipeline you can write the PostAuthenticateRequest event in global.asax that I suggested earlier.

    Saturday, December 8, 2012 12:06 PM
  • User1987180197 posted

    Right, so now that you know about the pipeline you can write the PostAuthenticateRequest event in global.asax that I suggested earlier.

    I think i need a working example. If anybody have implemented these things, please provide a sample code.

    Thanks

    Sunday, December 9, 2012 11:32 PM
  • User1987180197 posted

    keep a last activity date/time.

    Ok when the user login at the site i can record his date/time but how can i monitor his activity time, means how to know that user is idle from last 30 minutes ?

    Thanks

    Sunday, December 9, 2012 11:36 PM
  • User1779161005 posted

    You subtract the user's last activity time from the current time.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, December 9, 2012 11:39 PM
  • User1987180197 posted

    Ok, instead of flag i used something like Last Active Date Time, so if the user is authenticated i am updating this on each web page Load. Then on User Activity Page, i calculate total no of minutes for which user is inactive by subtract the Last Active Time from curent time. And if these minutes are more than 1440(this is what i set in forms authentication), i show the user offline. 

    Is it the correct approach ? Then what about Application_PostAuthenticationRequest event ?

    Thanks

    Monday, December 10, 2012 5:09 AM
  • User1779161005 posted

    Yep sounds good. PostAUthenticateRequest is where I suggested that you write the code to update the last activity time since it's called on each request from the user.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, December 10, 2012 5:45 PM
  • User1987180197 posted

    PostAUthenticateRequest is where I suggested that you write the code to update the last activity time since it's called on each request from the user.

    ok got it now, no need to write code in each page load. Write once in PostAUthenticateRequest is enough.

    Thanks Brock for staying with me for so long.

    Monday, December 10, 2012 11:28 PM
  • User1779161005 posted

    Yep, you got it.

    Tuesday, December 11, 2012 3:35 PM