We have a user who was deactivated in Jira but the jira db cwd_user_attributes login.lastLoginMillis shows he logged in even after deactivation.
Just wanted to know if the stored token(created by remember me option) expiration will trigger this attribute or any other event which is not actually a user logging in.
We have jira 8.5 datacenter and oracle database.
It is the attempt to log in that matters. Jira does not look at deactivation statys until after the user has logged in.
Cookies can hold current login information and be used by the browser to get back in. That, and other SSO-like logins are not counted as logins - they're already logged in if they are coming in via them.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Nic. So the user did enter his credentials and log in. But the user was disabled in LDAP and the login should have failed. Will a failed attempt update as updateLastLoginTime? Are there any other reasons why this field was updated after LDAP was disabled?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Divya TV I was checking source code of Jira Server 8.12.0 but I think it will be the same as DC 8.5. And I found this method
public LoginInfo recordLoginAttempt(final ApplicationUser user, final boolean authenticated) {
notNull("user", user);
UserWithAttributes userWithAttributes = crowdService.getUserWithAttributes(user.getName());
if (authenticated) {
// reset the failed count
setLong(userWithAttributes, CURRENT_FAILED_COUNT, 0);
updateLastLoginTime(userWithAttributes);
} else {
updateLastFailedLoginTime(userWithAttributes);
}
// Need to get a new copy of the attributes now.
return getLoginInfo(user);
}
Method updateLastLoginTime updates property you mentiones, while method updateLastFailedLoginTime updates property login.lastFailedLoginMillis. So for me it looks like the user was authenticated successfully. Can you check the user's Audit log (https://confluence.atlassian.com/adminjiraserver/auditing-in-jira-938847740.html#AuditinginJira-Viewtheauditlog)?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Martin. So the user was disabled in LDAP which is used for authentication. Audit log shows the user was changed from active to inactive. But I dont have details of if he was authenticated. How does a user login successfully if he was disabled from LDAP? The remember me cookie will still allow him to login? Also checked the Jira database for stored token and that is empty.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
https://jira.atlassian.com/browse/JSWSERVER-20649
Our situation is similar and its a product defect.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.