httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: [users@httpd] How to Find Online Users?
Date Wed, 17 Sep 2008 18:44:08 GMT
Justin Pasher wrote:
> amiribarksdale wrote:
>> What is the "standard" way to determine whether a user is indeed 
>> logged in to
>> a site and online right then? I have a web app where users log in and 
>> get a
>> cookie. Part of it is the sessin cookie which expires at the close of the
>> session, and part of it is a longer lasting authentication cookie. Am I
>> supposed to use the session cookie for this? Does it have to be stored in
>> the db so it can be timestamped?
>> Amiri
> Since HTTP is a stateless protocol, it requires a little creativity to 
> track "online" users. One way is to have a table in a database that 
> keeps track of a person based upon their username/IP address and the 
> last time they loaded a page. For example
> * Client visits a page
> * Add/Update a row in the table with the client's username/IP address 
> and set the timestamp to the current time
> * To retrieve a list of "online" users, pull all rows in the database 
> with a timestamp within the last X minutes (for example, 10 minutes).
> You could then periodically delete any rows from the table that are 
> older than X minutes or hours. This would help keep the size down. The 
> username for a client would be based upon a cookie or session 
> information stored within your page.
Another way of saying this, is that HTTP as a protocol, and the HTTP 
server itself, have no such concept as a "logged-in user".  Each request 
from the browser to the server, as far as they are concerned, is 
independent from the next one, even if it comes from the same 
workstation or IP address.
So the concepts of "logged-in user" or "connected workstation" are at 
the application level, and that is also where you have to handle it.

If both the server and the browser use the "KeepAlive" feature, then to 
some extent there is one TCP-IP session kept open between them for a 
certain duration or a certain number of requests-responses, but that has 
only a vague relationship with the a concept of "on-line users" : such a 
session may remain connected for a while after a single browser request, 
even if the browser just requested the homepage once without ever 
"logging in" to any application afterward.
The same thing with a "disconnect" or "logout" from an application : if 
the browser just moves to another page on another server, or is just 
closed, or the workstation is powered off, the server would never know 
about it.  Some web applications implement a timeout, and internally do 
some kind of "logout" of the session if they have not seen any new 
interaction for a while. But this happens at the back-end application 
level, not at the HTTP server level.

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message