Okay, here is an outline for this type of tracking. Some of this you may already have, some of it will need to be developed:

Create a table in SQL Server that tracks logins and logouts. The table should have columns for a 20-byte hash, an original login datetime column, a timestamp or datetime column for "last hit", and a bit for tracking whether the row is a login or a logout message. Optionally, the table can perform double duty as a web page access and troubleshooting log. The columns can be expanded to include a username, a varchar for a function/method name, a web page name, timestamp, etc...

Use forms authentication on your web site.

Create a new class that implements IPrincipal and IIdentity that contains a property that is a hash of the username, password, and timestamp.

In the global.asax.vb, after authenticating the user, generate the hash and insert a new row in your LOGIN table. The hash is the primary key (or candidate key if you must have an int identity column as the PK).

Subclass the Page class and add a readonly property called "LoginKey" that will hold the hashed value. Back the property with session or viewstate. In my framework, this same class is also used to check authentication and authorization every time the page loads, but this is optional.

Pass the login key to every call to the Data layer. Every function/method in the data layer first checks with the LOGIN table to make sure that the user is logged in (a "login" message matching the loginkey exists and a corresponding "logout" message does not).

As the table is being checked, update the "last hit" column.

If the login row does not exist or if the user is already logged out, throw an exception.

You custom Page class will trap the exception and redirect to the login page.

Create a SQL Server job that runs every 2-3 minutes. This job will go through the login table and insert logout rows when it finds a "last hit" that is older than whatever your chosen timeout is. At the same time, you can delete or archive old rows.

That's it, in a nutshell. There are some other details that I have left out for brevity's sake. But you will encounter them as you put this stuff together.

Good luck,

Keith

>Hi,
>
>Thank a lot for your advise.
>Yes, I am tracking user logins and license usage of my web-based application.
>What is the best way or reliable way to solve this issue. Please advise.
>
>
>>There really isn't any reliable way to do this. Keith's example works if you close the window, but what about scenarios where the user navigates our of your application to another page? This can be a problem if you are trying to track user logins and manage license usage of a web-based application. You have to have a plan B :)
>>
>>Regards,
>>Carl.
>>
>>>>Hi,
>>>>
>>>>I like to know how can my web based application on ASP.NET able to
>>>>track web user timeout and when user click the 'x' button on the
>>>>top right of the webpage ?
>>>>
>>>>I am using SQL Server 2000 SP4.
>>>>
>>>>Anyone got any suggestion or ways to do it.
>>>>Do I need to use Javascript on this area ?
>>>>
>>>>Thank you
>>>
>>>There is a way to determine that IE is being closed in JavaScript.
>>>
>>>

function onClose()
>>>{
>>>   if(window.screenTop>10000)
>>>      {
>>>         alert("window.onClose works!")
>>>      }
>>>}
>>>window.onunload=onClose

>>>
>>>Timeout is set in machine.config and for each application in the web.config. I'm not aware of any events that fire when a session times out.