There are a bunch of ways to do this but the best is probably database. Given that they are registered users you should have a database containing some information about them already which allows them to login, etc.

We actually do something else as well, we append the user id to the entry in our apache logs, this means once someone logs in we have the ability to see avery step they take. We can then parse our logs in anyway we like and it stops the extra load of hitting the database everytime. Apache already does logging and is very good at it so we didn't feel the need to do much else. There is a thread around about doing it in PHP I can link to if you're interested in that.

Otherwise just integrate the tracking into your database.

Thanks for replying. Im not sure of the exact setup of how our site allows valid users access to the restricted area but our IT guys mentioned that IIS generates a unique ID to valid users. But this ID only last for the session and the ID is not related back to the database in any way.

I would like to see the thread you talk about... The more ammo of information i have when going back to IT the better cause they tend to talk marsion sometime... (straight over my head :-))

hehe

the thread I mentioned is for Apache
Getting PHP session variables into your Apache logs [webmasterworld.com]

they are just talking about the session ID it would seem. I would think that each user has a unique value to identify them within your site. Either the username or an assigned userid in your database. I would think this unique identifier would need to be stored in the session as they navigated through the secure section, otherwise it would be impossible to authenticate them for every secure page.