last_login currently useless

[paulcanning]

The way the last_login timestamp it updated makes it practically useless in its current state.

The timestamp is updated after a successful login, every time. So you can never actually see the "last/previous" time you logged in, as the single last_login timestamp is always updated, wiping away the old timestamp.

Really, you need two columns; login and last_login. login gets updated with the current time after you log in, and last_login is updated with the timestamp from login just before it gets updated.

[REJack]

Nice idea, I'll add this to v3

[paulcanning]

I'm going to fix it in my v2, so I can try and put together a PR for it once I have it working.

[perenstrom]

I must say I disagree with this. "Last Login" should mean the timestamp of the latest login, which if you are logged in would be the time you logged in. What would be the purpose of having the timestamp of the next to last login, other than pure curiosity?

Last login is a term used all over, for example by admins looking at user registry to see when people last logged in.

[paulcanning]

If you read the post, you'd see it is CURRENTLY useless. As in, it is CURRENTLY broken.

[perenstrom]

No need to be snarky. I did read your post, did you read mine?

As I said, "last login" should be the lates login you have made, not the one previous to that.

[paulcanning]

That makes zero sense.

Think about it. For peace of mind and maybe security reasons, I want to see when my account was LAST logged in.

As of right now, in the code base, whenever a login is made, the last_login timestamp is updated, meaning you can never know when a previous successful login was made (imagine someone got your password and logged in as you).

If you store the previous successful login, a user can easily recognise if it was them that logged in, rather then someone claiming to me them.

Do you get it now?

[salain]

@paulcanning
last_login as you see it is good, however it should also have the IP address as well as the user_agent if you want to investigate the matter further.

[perenstrom]

@paulcanning It does make sense. If I log on to my server, let's say Exchange server, as an admin and look at my user table. In the Last_logon field I would expect to see the latest time the user in question logged on. This is the way all systems I've come in contact with handle something called "last_logon".

Now I DO see your point about as a user being interested in when my previous login was (even though I think it's an edge case scenario). I don't think the feature is requested enough by users to make it a standard part of an authentication library. I would probably create my own logging table which would log all log in (and log in attempts) to a user and make that available to the user.

[REJack]

Hey together,
we have already a login_attempts table with any login attempt,
we could add a successfully & user_id field in the database and if the config option remove_successful_attempts is false we can update the fields instead of remove the attempt 😄.

@salain The IP address is already in the users & login_attempts table but the user_agent is a great idea.