I don't know anything about RADIUS, so I can't comment there, but I do know a bit about the Web, so I'll skew my response accordingly. About a year and a half ago, I was asked to do something very similar, but for what I considered to be unethical reasons: billing paying customers for the time they spent on our Web site (different company from where I now work). The Web, of course, is a stateless protocol and there is no way to tell if someone if a given session reflects use of a site.

The problem with most of your options: what if someone leaves their browser open and walks away, or what if the browser crashes? The person isn't recorded as being logged out and your session data is not accurate. Heck, what if someone logs in, gets called away for a meeting a logs out when they get back. That's an hour of "usage" that isn't. What I wound up doing is parsing my log files, checking the log in and log out times and, if they didn't log out, assume that they had used the service for a 'minimum' period of time. Since I was using Web access logs, I could also verify roughly when they were active. However, I was writing a command line tool that didn't require instant results, so I had the luxury of sacrificing performance.

Perhaps a better way of looking at this problem is considering what the real problem to be solved is? For example, if you need to determine traffic, a better metric may be to track 'hits' (which raises a whole slough of different questions, but I digress). If you needed to track what people are interested in, "hits per page" may be better.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.