Total time logged in.

iago · December 26, 2010, 12:51:48 AM

Quote from: deadly7 on December 25, 2010, 03:47:45 PM
Quote from: iago on December 25, 2010, 09:53:50 AM
If you leave your browser open on a page and don't click anything, the site has no way to know that you're still there (because you aren't sending it any requests).
I believe SMF keeps a 10 minute session open and then re-leases that time every new request you send. I don't remember where I read that though.

Yeah, that's pretty much the only way to do it. And it makes sense.

deadly7 · December 26, 2010, 05:14:10 PM

Quote from: iago on December 26, 2010, 12:51:48 AM
Yeah, that's pretty much the only way to do it. And it makes sense.

How do they keep timed session? Is it just a timestamp stored in a cookie that then gets read by the website?

iago · December 26, 2010, 07:34:03 PM

Quote from: deadly7 on December 26, 2010, 05:14:10 PM
Quote from: iago on December 26, 2010, 12:51:48 AM
Yeah, that's pretty much the only way to do it. And it makes sense.
How do they keep timed session? Is it just a timestamp stored in a cookie that then gets read by the website?

No idea, but the most logical way to time a session would be to measure time between page hits. After a certain threshold, it counts as a new 'visit'.

Joe · December 27, 2010, 07:57:51 AM

They could just set a last visit field on your user row in the database. If you did it with a ~~session variable~~ cookie, you could hack it each time so your last load was 9 minutes and 50 seconds previous and rack up time very quickly. Then again, only the truly paranoid would protect against this attack.

EDIT -
It's 7:02 AM. That's my excuse and I'm sticking with it.

deadly7 · December 27, 2010, 11:33:49 AM

Quote from: Joe on December 27, 2010, 07:57:51 AM
They could just set a last visit field on your user row in the database. If you did it with a ~~session variable~~ cookie, you could hack it each time so your last load was 9 minutes and 50 seconds previous and rack up time very quickly.

I'd understand for something meaningful why they would protect against that. My credit card website times you out after a certain amount of inactivity and you have to log back in. For SMF, I can't understand any reason for doing so.

Newby · December 27, 2010, 04:30:20 PM

Quote from: deadly7 on December 27, 2010, 11:33:49 AM
My credit card website times you out after a certain amount of inactivity and you have to log back in. For SMF, I can't understand any reason for doing so.

Likely the same way it does it.

The way the Last Activity page works is that it lists the last users logged in, the last page they loaded and how long ago that was. Within 15 minutes of you loading that page. Anyone wanna bet it has something to do with that?

(It adds your time between page loads to your total time logged in, and if you don't load a page after 15 minutes it adds 15 minutes and kills your session.)

Were we still really wondering how it works? Maybe I just jumped to conclusions.

Basically anyone that wanted to cheat that number could load Opera and have it refresh once every 15 minutes. Any faster than that and you're just wasting iago's precious bandwidth. :(

Clan x86

News:

Total time logged in.

iago

deadly7

iago

Joe

deadly7

Newby