Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.

closed function qa_get_logged_in_userid()

+2 votes
120 views
asked Oct 23 in Q2A Core by esqeudero
closed Oct 29 by esqeudero
I noticed that the function qa_get_logged_in_userid() does not work properly.

Especially, if user logged in ticking "Remember Me".

I have a plugin that check the function qa_get_logged_in_userid() in every 3 minutes adds record to a database table sending data of userid and currentime. If users is not logged in after 3 minutes the row in database will be deleted.

I noticed that userid=1 which admin is always logged in.

I tried close browser. Nothing change. The only thing is log out action.

Plus, my another demo users that I remember logged in ticking  "Remember Me" also appears logged in.
Q2A version: q2a 1.7.5 customized
closed with the note: I have solved the problem with ajax polling check.
commented Oct 23 by arjunsuresh
That's how it should behave rt? Remember me means until session ends user must be logged in.
commented Oct 23 by esqeudero
I know, therefore, I am saying that qa_get_logged_in_userid() function actually does not show currently visiting users.
commented Oct 23 by arjunsuresh
yes, thats true. It cannot be used for getting currently active users - I suppose there is no Q2A function which does that.

2 Answers

+1 vote
answered Oct 24 by pupi1985
Due to the stateless nature of the HTTP protocol, it makes no sense to find what users are actually executing a request in a given point in time. That would only get all users which are in the middle of a connect and disconnect stage. Depending on the HTTP version, other objects, in addition to the main request, could also be fetched using the same connection, such as images. This doesn't make any difference, though, so we can consider this as a page load.

Once a disconnection is executed, which would happen immediately after a page load, the link between the user and the server is gone. In order to workaround this, wrappers around this stateless approach have been created, for example, cookies and server-side sessions. They will give the impression that users are logged in between requests and avoid authentications between requests.

However, each request will have access to their own session. Getting information from other active sessions is a security risk. Usually PHP and web servers work together to manage sessions, usually configured as files stored in a given directory. Those files are usually cleaned by a Cron job (in *nix-based systems). Once the file is removed, the session is lost.

Rather than getting deeper into this it might be better to make some clarifications. The logout works pretty well to understand when a session is killed. The problem is that unless a user logs out, and as long as the cookie is set and the session is active (the operating system has not removed it yet), the user will be able to access the site without the need to actually log in. So monitoring logouts and logins make sense as session observers.

However, if you consider an "active user" as user that has logged in your site in the last 3 minutes, you will be expecting people to input user and password every 3 minutes in order to observe their logins, and that's not going to happen.

In short, if you want to keep track of active users just follow a keep-alive approach. Each time a user refreshes a page, just insert/update the record in the database with the current time. Then remove the ones with a Cron job, if you want that approach.

Extra tip 1: you can improve performance significantly avoiding updating the database in every request by playing with cookies or session information.

Extra tip 2: most likely you'll want to create a composite key on the update time column and then on the user id, in that order (although this might depend on the exact SQL queries you're running).
commented Oct 25 by pupi1985
You keep referring to "users" when you talk about the qa_get_logged_in_userid() function. It WILL NOT return the "users" that are logged in, but rather the user ID of the user whose session is currently executing in the web server. Furthermore, as Arjun mentioned, "It cannot be used for getting currently active USERS". The plural seems to be the main misunderstanding and cause of the bug.

If you want to get the active sessions in the web server, then re-read the answer :)

Anyway, active sessions in the web server makes absolutely no sense. Just use the currently logged in user to self update their own record in the database in every page load, so you don't need Q2A to give you all active users as you keep track of them one by one. I think that is as far as I can get with the information I have
commented Oct 25 by esqeudero
the plural 's' is typo. I think you actually understand that I mean userid.  You say "Just use the currently logged in user to self update their own record in the database in every page load". that's what I did in my custom plugin.

I am just addressing another issue. I am saying that this method work for all users except who logged in by ticking remember me checkbox. Self-update of records keeps occurring even if the user does not visit the site.
It happens only for users who once before l logged in with remember me checkbox.
0 votes
answered Oct 29 by esqeudero
I have solved the problem with ajax polling check.
...