Skip to content

fix(session): Update last_seen when user session is validated #50835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
solracsf wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(session): Update last_seen when user session is validated #50835

solracsf wants to merge 1 commit into from

Conversation

@solracsf
Copy link
Member

@solracsf solracsf commented Feb 15, 2025
edited
Loading

Summary

While doing some maintenance on my instance, I've saw a lot of users with last_seen timestamp a few months ago, like 7 months ago or even more than a year. So, I've disabled them.

A couple of minutes later, some of them were complaining their user account was disabled 😿

Example:

# occ user:info USER
  - user_id: USER
  - display_name: USER
  - email: [email protected]
  - cloud_id: [email protected]
  - enabled: true
  - groups:
    - Users
  - quota: 10 GB
  - storage:
    - free: 10737418240
    - used: 0
    - total: 10737418240
    - relative: 0
    - quota: 10737418240
  - last_seen: 2024-08-12T17:19:46+00:00
  - user_directory: /var/www/data/USER
  - backend: Database

As you can see, last_seen states user was last seen (wrongly) 6 months ago.
Yet, on the webserver log, we can see that this same user performed some operations only minutes ago:

cat /var/log/nginx/*.log | grep -F 'USER'

"[15/Feb/2025:11:08:49 +0100]" my.instance.com PROPFIND /remote.php/dav/calendars/USER/personal_shared_by_another/ 207 0.077 0.062 "DAVx5/4.3.12.1-ose (2023/12/27; dav4jvm; okhttp/4.12.0) Android/12"
"[15/Feb/2025:11:39:14 +0100]" my.instance.com PROPFIND /remote.php/dav/calendars/USER/personal/ 207 0.324 0.309 "DAVx5/4.3.12.1-ose (2023/12/27; dav4jvm; okhttp/4.12.0) Android/12"

Problem is that those users NEVER use the WebUI, they only use some apps to sync their data, like Calendar or Contacts sync, etc. So, they never complete a full logout + full login.

My proposal here is to update the last_seen timestamp also when we validate their session, since that, in my opinion, as an instance administrator, I want to be able to rely on the last_seen field to really know when the user was last seen (and by last seen, I mean user has done some kind of legit activity on the instance, while being a valid user). As per actual logic, it would be updated, at most, once every 60s.

IMO, this is actually a bug (not a feature) because updating last_seen field only on full logout + login is not reliable.

Please review.

Checklist

@solracsf solracsf self-assigned this Feb 15, 2025
@solracsf solracsf changed the title fix(session): Update last seen when user session is validated fix(session): Update last_seen when user session is validated Feb 16, 2025
@susnux susnux requested a review from come-nc February 16, 2025 23:40
@solracsf
Copy link
Member Author

solracsf commented Feb 17, 2025
edited
Loading

I've put this change as-is into production 2 days ago (v30). Now I can see that users listed as seen by the system as "months ago", are in fact active, and are now listed as last seen "minutes or hours ago". This is what I expect to be reported.

come-nc
come-nc reviewed Feb 18, 2025
View reviewed changes
Copy link
Contributor

@come-nc come-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How often is that executed?
It turns last login into last activity, no?

I understand the issue though, for webdav each request is a login, no?

@solracsf solracsf added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Feb 22, 2025
@solracsf
Copy link
Member Author

solracsf commented Feb 22, 2025

How often is that executed?

As per actual logic, it would be updated, at most, once every 60s.

@solracsf solracsf marked this pull request as ready for review February 22, 2025 08:05
@solracsf solracsf added this to the Nextcloud 32 milestone Feb 22, 2025
@solracsf solracsf requested review from a team, nfebe, provokateurin and sorbaugh and removed request for a team March 11, 2025 17:49
This was referenced Aug 22, 2025
Merged
Merged
Merged
This was referenced Sep 2, 2025
Merged
Merged
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 10, 2025
Merged
@nextcloud-bot nextcloud-bot mentioned this pull request Sep 18, 2025
Merged
This was referenced Sep 25, 2025
Merged
Merged
@skjnldsv skjnldsv modified the milestones: Nextcloud 32, Nextcloud 33 Sep 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@come-nc come-nc come-nc left review comments

@ChristophWurst ChristophWurst Awaiting requested review from ChristophWurst

@nfebe nfebe Awaiting requested review from nfebe nfebe is a code owner automatically assigned from nextcloud/server-backend

@provokateurin provokateurin Awaiting requested review from provokateurin provokateurin is a code owner automatically assigned from nextcloud/server-backend

@sorbaugh sorbaugh Awaiting requested review from sorbaugh sorbaugh is a code owner automatically assigned from nextcloud/server-backend

At least 2 approving reviews are required to merge this pull request.

Assignees

@solracsf solracsf

Labels

3. to review Waiting for reviews technical debt

Projects

None yet

Milestone

Nextcloud 33

Development

Successfully merging this pull request may close these issues.

4 participants

@solracsf @come-nc @skjnldsv