There should be another table which logs login activity. When someone logs in, it should capture:
1. User IP address
2. Browser user-agent
3. Was the login successful or not?
This is basic basic stuff that should be there. Without this information there is little or no control over who is doing what on the system. You can see IP addresses in the server logs but those don't tell you anything about who is on the system or doing what.
If I could get into the code and figure out where to put a hook like this, I would add this feature myself.
[originally posted on jforum.net by CaliforniaCCW]
Migrated From Jforum.net
Joined: Apr 22, 2012
The best place to do this would be in the net.jforum.view.forum.UserActions class. In particular the the validateLogin() and logout() methods.
But these may not get called if you are using an SSO method or authenticating via cookie.
A quick way to do this would be to just use the logger object that's already there. E.g.:
logger.info("Security: user: X IP:y ....);
Another way I've done this in the past is to have a simple SecurityLog class with static logging methods. The advantage to this is that the log4j / commons.logging mechanisms let you direct specific class logging to different files. So by using a SecurityLog class, you can generate a separate security log. (Or not and just grep the log for the class to get the same info...). [originally posted on jforum.net by monroe]