PHP best practice keep track of logged in users

Question

I want to show users who else is logged in as part of a comment system. What are best practices for keeping track of users? For example:

Do you keep track of all sessions and then mark them as closed. Or do you delete users upon logout, keeping track only of active users.

I'm thinking I should create a table with userid, time logged in, time logged out and/or status. Is that the way to go or is there some alternative approach of tracking session ids. If using a table, is there value in keeping sessionid. Should I delete row when session no longer active, negating need for whenloggedout field.

There is a login so easy to keep track of users logging in. However, it is harder to track users logging out since their session may be broken by browser crashing etc.

Is it best practice to consider users logged in as long as they have not destroyed session... for example, FB and Gmail will leave you logged in almost indefinitely--or should there be a time limit since last activity? The idea of saving to this table every time there is activity on site is not appealing.

Right now, I'm thinking of following:

create table loggedin (userid (int), whenloggedin (datetime), whenlogged out (datetime), loggedin(tinyint))

with the latter going to 0 either if whenloggedout not null or after some long time limit like 24 hours. I imagine FB while leaving you logged in for long periods of time, also keeps track of activity for purposes of chat etc. but not sure. I'm also thinking of letting the table expand, rather than deleting closed sessions but maybe that's a mistake.

Would this approach be considered adequate or is there a better way. Many thx for advice on this.

Answer 1

Constant Polling and using heartbeat are a good idea, but for some scenarios they may create useless load on server. I think you should think about the importance of keeping track of your users and use it very appropriately, especially considering the impacts your changes may have on load time.

Answer 2

To circumvent the problem with knowing if a user has logged out or browser crash ect, is to use a heartbeat/polling of sorts here is a stripped down example of how you can do that with jQuery

function heartbeat(){
   setTimeout(function(){
      $.ajax({ url: "http://example.com/api/heartbeat", cache: false,
      success: function(data){
        //Next beat
        heartbeat();
      }, dataType: "json"});
  }, 10000);//10secs
}

$(document).ready(function(){
    heartbeat();
});

http://example.com/api/heartbeat would keep the session alive & update a timestamp in your db, then on each page load you would check the time stamp with current time ect and if its lower then say 15 seconds then you would log them out.

Answer 3

Depending on how you want it to work you basically have two options:

• Define a timeout after which you consider a user logged out
• Use ajax/websockets/whatever to poll user

1: Timeout

This is the simpler use case. Every time the user requests a page, you update a timestamp in your database.

To find out how many users are online, you would do a query against this database and do a COUNT of users who have been active in the last N minutes.

This way you will get a relatively accurate idea of how many people are actively using the site at the moment.

2: Constant polling

This is a bit more complex to implement due to having to update the server with Ajax. Otherwise it works in a similar fashion to #1.

Whenever a user is on a page, you can keep a websocket open or do ajax requests every N seconds to the server.

This way you can get a pretty good idea of how many people have pages open on your site currently, but if a user leaves the page open in their browser and doesn't do anything, it would still count them as being online.

A slight modification to the idea would be to use a script on the client to monitor mouse movement. If the user doesn't move the mouse on your page for say 10 minutes, you would stop the polling or disconnect the websocket. This would fix the problem of showing users who are idle as being online.