Which event updates the attribute login.lastLoginMillis in cwd_user_attributes jira table?

Divya TV November 13, 2020

We have a user who was deactivated in Jira but the jira db cwd_user_attributes login.lastLoginMillis shows he logged in even after deactivation.

Just wanted to know if the stored token(created by remember me option) expiration will trigger this attribute or any other event which is not actually a user logging in.

 

We have jira 8.5 datacenter and oracle database.

3 answers

3 accepted

1 vote
Answer accepted
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 14, 2020

It is the attempt to log in that matters.  Jira does not look at deactivation statys until after the user has logged in.

Divya TV November 16, 2020

Will a stored cookie be the reason?

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 16, 2020

Cookies can hold current login information and be used by the browser to get back in.  That, and other SSO-like logins are not counted as logins - they're already logged in if they are coming in via them.

Divya TV November 17, 2020

Thank you Nic. So the user did enter his credentials and log in. But the user was disabled in LDAP and the login should have failed. Will a failed attempt update as updateLastLoginTime? Are there any other reasons why this field was updated after LDAP was disabled?

1 vote
Answer accepted
Martin Bayer _MoroSystems_ s_r_o__
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 13, 2020

Hi @Divya TV I was checking source code of Jira Server 8.12.0 but I think it will be the same as DC 8.5. And I found this method

public LoginInfo recordLoginAttempt(final ApplicationUser user, final boolean authenticated) {
notNull("user", user);

UserWithAttributes userWithAttributes = crowdService.getUserWithAttributes(user.getName());
if (authenticated) {
// reset the failed count
setLong(userWithAttributes, CURRENT_FAILED_COUNT, 0);

updateLastLoginTime(userWithAttributes);
} else {
updateLastFailedLoginTime(userWithAttributes);
}
// Need to get a new copy of the attributes now.
return getLoginInfo(user);
}

Method updateLastLoginTime updates property you mentiones, while method updateLastFailedLoginTime updates property login.lastFailedLoginMillis. So for me it looks like the user was authenticated successfully. Can you check the user's Audit log (https://confluence.atlassian.com/adminjiraserver/auditing-in-jira-938847740.html#AuditinginJira-Viewtheauditlog)? 

Divya TV November 16, 2020

Thank you Martin. So the user was disabled in LDAP which is used for authentication. Audit log shows the user was changed from active to inactive. But I dont have details of if he was authenticated. How does a user login successfully if he was disabled from LDAP? The remember me cookie will still allow him to login? Also checked the Jira database for stored token and that is empty.

0 votes
Answer accepted
Divya TV November 17, 2020

https://jira.atlassian.com/browse/JSWSERVER-20649 

Our situation is similar and  its a product defect.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
8.5.4
TAGS
AUG Leaders

Atlassian Community Events