Show user last login time

Hello XWiki Community!

We’ve received a request from a client to enhance our platform by implementing a feature that displays users’ last login information and allows for sorting and categorization based on this data. After some exploration, it appears that this has been a topic of interest in our community before, as evidenced by discussions in the following threads:

  1. How to see last login timestamp for users
  2. Remember last time user logged on

Requirements:

  1. User Categorization: We aim to develop a mechanism that categorizes users based on their last login time, providing a streamlined approach to managing user activity.
  2. Reporting: The proposed feature will include an option to generate a comprehensive list of registered users alongside their last login times, facilitating efficient review and analysis.

Acceptance Criteria:

  1. User Categorization: Users should be easily categorized into groups based on their last login time, allowing for flexible management strategies (e.g., users who logged in more than X days ago).
  2. Reporting: Administrators will have access to a detailed report containing the list of registered users and their corresponding last login times, empowering them with valuable insights into user engagement and activity.

Feedback Request:

We believe that incorporating this feature will greatly enhance user experience and administrative capabilities within XWiki. However, we value your input and insights. We encourage you to review the proposed requirements and mock-ups provided below and share your thoughts, suggestions, or concerns by 15th of June. Your feedback will play a crucial role in shaping the development and implementation of this feature.

Mock-ups:
v0


v1

v2

Looking forward for your feedback!

Just for transparency, when @ndascalita writes “we” he means XWiki SAS. From my own interaction with a client of XWiki SAS, the mention of “last login time” might be misleading. I think the real need is to know when the user was last active, i.e., when did the user last access the wiki while being logged in. The need is to know about users who didn’t use the wiki in a certain time to, e.g., disable or delete them, not about users who didn’t use the login functionality in a long time.

Regarding the activity summary, in the v2 mock-up, I believe we could have this data already from the activity stream, and it might be possible to retrieve this summary with a Solr query.

The main question for me is how to store the “last active time”. I see three options:

  1. Directly in the user profile. While this is easiest to implement, it has several disadvantages as it creates new revisions of the user profile and the data is public by default which seems bad from a data protection point of view.
  2. In a separate database table. This gives us most freedom but sounds like a bit much for such a little feature. I wonder if it could make sense to introduce a more generic table for “private” user properties that shouldn’t be in the (by default public) user document.
  3. In the event stream (in Solr). This sounds like a compromise, but I’m not sure about the implications, as it might, e.g., not be that easy to load this data in a user list/as filter for a user list.

@ndascalita Several questions regarding your requirements:

  1. For whom should this data be accessible? Just admins or also regular users?
  2. Do you confirm that this is not about last login but about last active time (i.e., last visit of the wiki while being logged in)?
  3. What granularity should the data have, i.e., how frequently should it be recorded that a user has been active (or logged in, if you really care about that)? In your mock-ups you show days, which would imply that storing a day would be enough, and we don’t need hours/minutes/seconds?

Thank you very much!

Thank you @MichaelHamann for the additional questions.

  1. The data should be accessible in my opinion only by admins - for privacy reasons
  2. I can confirm that I was trying to refer to the last active time
  3. Considering the use case I think storing the day should be enough

Some questions and remarks

  1. Is your proposal to include this in XWiki platform or as an XWiki Contrib extension?
  2. Please don’t mention “clients”, this is a open source community forum. There are only users here.
  3. Are you proposing to implement this yourself?
  4. I’m missing the explanation of the need. Could you explain why you need to know users’s last login times?
  5. Why do you want to categorize users based on their login times? What are examples of actions to do when you see for example that there are 10 users who haven’t logged in, say, 1 month for example? Is it to disable their user account for security reasons? (to prevent someone from stealing their credentials and using them, and generally to reduce the surface attack)
  6. " empowering them with valuable insights into user engagement and activity.". You won’t get activity by this feature. Re engagement, it’s also debatable. It’s not because someone logs in that they do anything useful in the wiki…
  7. “We believe that incorporating this feature will greatly enhance user experience and administrative capabilities within XWiki.”. Not sure who is “we” here. You? Personally I don’t believe this. For me, this is a very minor feature and not something that should be in XS by default (it’s not core). I’d see it as a contrib extension.
  8. Re mockup v1, I personally don’t believe in “forcing” users to log in. What you need to do is make the wiki useful for users and they’ll come and use it. If they’ve logged in once and didn’t come back it’s not that they don’t know about it but that they don’t find it useful.
  9. On the mockup V2 there’s an activity column. How do you get that information? Is it an integration with the deprecated stats app, an integration with the Matomo extension or something else?

Thanks

Hello @vmassol,

  1. I would see this as part of the XWiki platform
  2. Sorry about that
  3. No, I’m more interested in getting a time estimation on how much time would be needed to implement it
  4. There are multiple reasons:
    By categorizing and managing users based on their last login time, administrators can keep the user base clean and up-to-date, ensuring that only active users have access to resources.
    Inactive accounts can pose a security risk if they are not properly managed. Hackers may target dormant accounts as they are less likely to be monitored. By identifying and disabling inactive users, the administrators can reduce the risk of unauthorized access and potential security breach.
    Inactive user accounts can consume unnecessary system resources and affect the performance of the application. By regularly disabling inactive accounts, the administrators can optimize the use of resources, such as storage and processing power, ensuring that the system runs efficiently.
    Categorizing users based on their last login time helps administrators make informed decisions about account management. For example, they can quickly identify users who haven’t logged in for a long period and determine whether to send them re-engagement emails or disable their accounts.
    By identifying inactive users, organizations can send targeted communications to re-engage these users, offering them incentives or reminders to return to the platform. This personalized approach can enhance the user experience and encourage continued use of the platform.
    • please see 4
    • please see 4
  5. The value of this feature will depend on the type of user. While a minor feature I do believe that this kind of feature should be part of the core product and not as an extension.
  6. Thank you for the opinion - noted
  7. I was thinking more in line with a more compact view of the activity stream of the profile for the specified period

For me, it’s reducing attack surface by knowing who is using the wiki and which inactive accounts can be disabled so they can’t be misused.

As far as implementation is concerned, I would suggest something simple:

  • Make the activity logging only visible to administrators in the existing User Index area.
  • List the “Last Login Time” as a table column in the User Index.
  • Also list the number of successful logins as well as the number of failed logins. (Number of successful logins indicate frequency of usage, and number of unsuccessful logins indicate that the user needs assistance and/or there is a risk of outside intrusion.)
  • As @MichaelHamann mentioned, “Last Active Time” may also be useful.

So I like the basic elements of the V0 implementation (assuming it’s integrated into the User Index) but would like to see more data included. I think that the additions of V1 and V2 are overkill with the exception of the Last Activity column on V2 but I think it should just be the timestamp showing the last time the user was active.

1 Like

This has already been logged in Jira as a feature request:

https://jira.xwiki.org/browse/XWIKI-15890

Now, whether the XWiki team or some contributor finds time to actually implement this is another question entirely. I would guess that the primary driver for this development would be a requirement from an organization’s security team that would allow them to disable unused/stale accounts to prevent unintended/unauthorized access (as is typical for other kinds of systems).

Thanks all for the info.

ATM I still think that this feature should be developed as a contrib extension and not bundled by default as I don’t think everyone will require it. We’re also trying to reduce the size of XS (at least to keep it in check since we’ve not been that successful in reducing its size so far ;)). With the Extension Manager, it’s easy for anyone needing the feature to install it.

I hadn’t thought of this. Even if it’s probably marginal (there’s no place in XWiki that should query or display all users as we paginate results), it’s a good example of a feature to help reduce the co2 cost of XWiki.

2 Likes

I like that we as admins don’t know who is “active”.

We don’t have to worry about cleaning up old accounts because we use oidc with azure ad for login. So from a security point of view we don’t need this feature.

On the other hand, there is no way to track our users. An attractive wiki will be used. We don’t need a competition to see which article is read the most. Every article is useful, even if it only helps once.

I was happy to say “No, the wiki doesn’t track that” when I was asked more than once.

Please if this is about to be implemented make it only optional and if possible disabled by default!

German laws for protecting workers make things complicated to host for corporations and institutions. Every technical solution that in one way or another can be used to track workers performance or even their presence must be approved by the workers council.

The next thing is, that this tracking could make privacy policies much more complicated also.

3 Likes

At least with what I imagined, the only information that would be stored is the day (no time) when the user was last active (i.e., viewed the wiki while being logged in). No history of that information would be kept in XWiki, so you wouldn’t be able to, e.g., list the days the user was active on (and of course XWiki wouldn’t store what the user viewed). I understand that even this could be too much, I just wanted to highlight that the idea would really be to store as little data as possible. In any case, given the feedback of @vmassol, it seems more likely that this would be implemented as an (optional) extension.

1 Like

If you are storing personal data in your Xwiki, you may have a legal obligation to know what was accessed and who accessed it (and maybe also why). You will also have to keep that data for a predefined duration.