I want to implement a basic login system in some PHP app where no cookies will be involved. I mean, the user closes the browser and the login expires, it will remain active during the browser session (or if the user explicitly logs out) otherwise.

I want to log all this activity and I'm thinking that every time the user refreshes the page, opens a different link or logs out, I record that time as the last access made by that user, overwriting the previous access log.

But my problem is when and how should I insert another record into the database instead of overwriting the last one?

Should I just define a timeout and if the last access was made above that timeout, another log should be inserted into the database? Should the session expire too after that timeout?

Or is there a better way?

Ideally, I would like to log the "log out action" when the browser was closed, but I don't think there's a way to detect that is there?

Suggestions?