Bug #71312

fe_users: a logout does not clear the field 'is_online'

Added by Bernd Wilke about 5 years ago. Updated about 1 month ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Authentication
Start date:
2015-11-04
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

on login the field 'is_online' is written with a timestamp.
on interaction with the site the field is updated.
so you can consider an user as inactive if the timestamp is older than N minutes.

but if an user explicit logs out the field is not cleared but the last value stays in the field.
in this way you can not decide active users, as the the logged out user may have been called pages up until the logout and got a newer timestamp than an user which is reading for some time on a page and may interact in the next minute as his login is still valid.


Related issues

Related to TYPO3 Core - Story #84616: Add currently online users informationClosedJan Stockfisch2018-04-04

Actions
#1

Updated by Bernd Wilke about 5 years ago

meanwhile you can use a hook as work around:

in ext_localconf.php:

$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'][] = 'Tx_MyExt_Hooks_FrontendLoginHook->resetIsOnline';

in EXT:my_ext/Classes/Hooks/FrontendLoginHook.php:

<?php
class Tx_Jonastone_Hooks_FrontendLoginHook
{

    public function resetIsOnline($params, &$pObj) {
        $currentData = $pObj->fetchUserSession(true);
        if ($currentData) {
            $currentUser = $currentData['uid'];

            if (is_int($currentUser)) {
                $into_table = 'fe_users';
                $where_clause = 'uid = ' . $currentUser;
                $field_values = array(
                    'is_online' => 0
                );

                $res = $GLOBALS['TYPO3_DB']->exec_UPDATEquery($into_table
                    , $where_clause
                    , $field_values
                );
            }
        }
    }
}

#2

Updated by Jigal van Hemert over 4 years ago

  • Status changed from New to Needs Feedback

The database field may not have the correct name, but it contains the timestamp of the last activity of the user. HTTP is a stateless protocol and thus a webserver takes every request as a separate event. Most users don't explicitly logoff; they just close the browser or move to a different URL. There is no good way to know if the user is really online or has silently left.
Web statistics have the same challenge and usually look at the time between two requests of the same origin and if that is longer than a threshold they consider it two visits.

#3

Updated by Bernd Wilke over 4 years ago

Users who does not log out may not be identified correct. that problem can not be solved.
User who did a log out could be decided. but the core does not do it, so it is possible in an easy way (see hook).
It would be helpful to have at least this in the core

#4

Updated by Alexander Opitz about 4 years ago

The 'is_online' state is updated for every 60 seconds, so timestamps older then 120 s (2min) can be read as not online anymore. An value of 0 means the user never logged in.

I think this should be enough. Do you have a scenario where a better solution is needed?

#5

Updated by Bernd Wilke about 4 years ago

Since when is the status of a FE-user updated every 60 seconds?

the ticket was created for showing the availability of support members. They logged in in the FE to show up in the list and should be removed immediately on demand. they don't are active in the FE so no page refreshes and no updates of the field 'is_online'.
the availibilty is shown to visitors with a AJAX refresh every minute.

The only solution was the hook to clear the field at an explicit logout.

#6

Updated by Alexander Opitz about 4 years ago

Ok, to clarify my statement:

Th 'is_online' value only gets updated with requests after 60 seconds and not on every request.

#7

Updated by Bernd Wilke about 4 years ago

than your statement "so timestamps older then 120 s (2min) can be read as not online anymore." is wrong.
as a user who does not interact with the webserver between 60 and 120 seconds is wrongly considered offline.
maybe a user needs 3 minutes to read a page. is he offline? no!

either the fieldname is wrong (it does not hold the online state of the user and you can not clearly decide the status from the timestamp the field holds) -
or the behaviour must change in case you clearly can decide the state (= the user logged off explicit)

#8

Updated by Alexander Opitz about 4 years ago

"can be read" ... that do not mean you MUST read them as offline.

#9

Updated by Alexander Opitz about 4 years ago

  • Status changed from Needs Feedback to New
  • Target version set to Candidate for Major Version

As this needs API/Functionality changes it can only be handled in a new Major Version:

IMHO we need to split the meaning to 2 fields as "state online/offline" and "last seen online"

#10

Updated by Jigal van Hemert almost 3 years ago

Alexander Opitz wrote:

IMHO we need to split the meaning to 2 fields as "state online/offline" and "last seen online"

Splitting the field doesn't add information. The main difference between FE and BE is that in the backend a JS function regularly does an AJAX call to update the logged in status. In the frontend the CMS has no control over JS functionality so the only thing it can do out of the box is update it on each request.
If you really want to keep track of users that have a browser window open as "logged in" you can simply build some JS with a timer that does an AJAX call to a script that updates the field.

Shall we close this issue?

#11

Updated by Alexander Opitz almost 3 years ago

Jigal van Hemert

The original issue is about the "logout" button. The user is still managed as "is_online".

#12

Updated by Bernd Wilke over 2 years ago

  • Related to Story #84616: Add currently online users information added
#13

Updated by Benni Mack 9 months ago

  • Status changed from New to Needs Feedback

This behaviour was optimized / fixed in TYPO3 v7, but as "is_online" contains the online timestamp every 60 seconds, it is neither "last logged in" or "is online". Depending on the amount of online users, this is the way it currently is.

Unsetting this value is not an option, as this would mean that we would loose the information when the user was previously "active" at all.

The only way to do this is to track user interaction in general via a history / logging mechanism, this would again be a GDPR issue -- all in all this is not optimal in so many ways.

The main issue is that the field just does not contain a bool (true/false) but a timestamp, so we could rename the field, as Jigal suggested - but that would mean we would be breaking. It's similar to "l18n_parent" in tt_content which is just wrong, but would be breaking as well.

#14

Updated by Bernd Wilke 9 months ago

regarding GDPR:
if the field contains information about the last contact to the server it holds more information than necessary.
especially if the user has terminated his session by using the logout button.

I wonder why this field can not change (Name and/or behaviour) while the core has changed with so many breaking changes since the origins or even since 6.2 (when this ticket was opened)

Anyway:
I don't manage that instance any more and there was a solution with the hook to get a correct behaviour.
Continue to tear down cities, but don't dare to touch a bird box.

#15

Updated by Benni Mack 9 months ago

  • Status changed from Needs Feedback to New

Bernd Wilke wrote:

regarding GDPR:
if the field contains information about the last contact to the server it holds more information than necessary.
especially if the user has terminated his session by using the logout button.

I wonder why this field can not change (Name and/or behaviour) while the core has changed with so many breaking changes since the origins or even since 6.2 (when this ticket was opened)

Anyway:
I don't manage that instance any more and there was a solution with the hook to get a correct behaviour.
Continue to tear down cities, but don't dare to touch a bird box.

I totally see your point. We could target this for v11 - and honestly this wouldn't be such a breaknig change as making "crdate" a DateTime field ;) Seeing e.g. "tt_contnet.image" shifted to "tt_content.assets" inbetween worked out just fine.

I just wanted to write down the possible solutions again to keep this information somewhere.
  • create a new field "last_activity" that contains this information as before, or
  • create a new field e.g. "onlinestatus" (as bool or dropdown) and gets set on logout as well
    Could be done for v11.0
  • drop field "is_online" in v11.0.
#16

Updated by Georg Ringer 8 months ago

  • Sprint Focus set to Needs Decision
#17

Updated by Markus Klein about 1 month ago

  • Description updated (diff)
  • Category changed from felogin to Authentication
#18

Updated by Markus Klein about 1 month ago

  • Sprint Focus deleted (Needs Decision)

Also available in: Atom PDF