#7480 Track last session info

v1.2.0
closed
nobody
42cc (432)
General
2015-08-20
2014-06-18
No

For security/audit purposes, we'd like to record the last time a user logged in, and the last time they had an active session (since with "remember me" the login date may be quite old but they're still active), and the User-Agent and IP address used. This should be independent of the Auth Provider if at all possible (e.g. works with both local and ldap).

Since "active session" will be new every time a user accesses any page, that would cause us to save new timestamp/ip/ua on every pageview which is a little extreme and could have performance implications. I think it'd probably be better to only store it with a whole-day granularity, so we only need to update the value once per day (or more if IP/UA changes).

I haven't thought too much about where to store this but maybe a dict in the User model that would store all the fields (e.g. dict last_access with fields login_timestamp, login_ip, login_ua, session_date, session_ip, session_ua).

Add the new fields to scripts/scrub-allura-data.py too

Discussion

  • Igor Bondarenko

    Igor Bondarenko - 2014-07-18

    Closed #610. je/42cc_7480

     
  • Igor Bondarenko

    Igor Bondarenko - 2014-07-18
    • status: in-progress --> code-review
     
  • Dave Brondsema

    Dave Brondsema - 2014-07-21
    • status: code-review --> closed
    • QA: Dave Brondsema
    • Milestone: forge-backlog --> forge-jul-25
     
  • Dave Brondsema

    Dave Brondsema - 2015-01-05
    • Milestone: unreleased --> asf_release_1.2.0
     

Log in to post a comment.