The "Logging out" event when a user closes the browser

Question

I have a table called Eventlog, this table contains already data about user connection: when the user calls this action for example :

public ActionResult Login(string username, string password)
{

}

• I test whether the user already exists on database or not

• If yes, I use Session["user"] = username or FormsAuthentication.SetAuthCookie(username, true); to set the user session

• And then I put a record on the Eventlog table : user X was connected at Y o'clock

This works fine, but I want also the information about the user logging out. I can do similar thing to the LogOff Action, I guess it is gonna work fine as well, but the majority of people don't use the logoff button, they only close the browser, how is it possible to implement the user logoff event for this situation when the user closes the browser: user X has been disconnected at Y o'clock. The Session_End() does not serve the need in this situation.

Answer 1

You have to accept the limitations of web technology. Once you have sent your response to the user agent, the server has no way to know what is happening with the request. The user might close the user agent gracefully. The UA might crash. The user might lose internet connection. His computer can crash. All of this can happen before the client even receives the response. This is the environment you are dealing with. Embrace it instead of fighting it.

If tracking logoff is important to you, there are several techniques you might use:

1. Rely on the session timeout. If you choose a timeout short enough it might be enough to meet your security requirements. I would consider this the preferred way, because it is simple and proven.
2. Use scripting to send a heartbeat from the UA to the server. You can use "ping" requests, long calls etc. However, be aware of the performance impact this comes with, the number of requests to the server and the complexity of the implementation.
3. Use an existing framework such as SignalR to establish a client-to-server connection and have the client check in to the server. This is basically the second option with less manual work for you.

All of this wouldn't let you intercept user logoff or loss of connection, but if the client stops responding you know that the connection is interrupted (in one of many possible ways). So you shouldn't register this as "user logged off", but rather as "user disconnected".

Answer 2

How is it possible to implement that ? checking every 1hour if the SessionId exists or not @Mehdi

If you do a post the last time the user does a new action with something like:

if(Session["UserName"] != null) {
      /*Update the database with the last time that the user has performed a action*/
}

If you do every time the user goes to a new action, you will get the last time the user did something that has inpact on the server. Then you know the (not exact but a indicator) last time the user wasn't logged off.