Don't ping LastLoginAt when impersonated

pkg/middleware/authentication.go

@@ -40,8 +40,8 @@ func LoginRequired(handler http.Handler) http.Handler {
 			return
 		}
 
-		// Ping LastLoginAt for long lived sessions.
-		if time.Since(user.LastLoginAt) > config.LastLoginAtCooldown {
+		// Ping LastLoginAt for long lived sessions, but not if impersonated.
+		if time.Since(user.LastLoginAt) > config.LastLoginAtCooldown && !session.Impersonated(r) {
 			user.LastLoginAt = time.Now()
 			if err := user.Save(); err != nil {
 				log.Error("LoginRequired: couldn't refresh LastLoginAt for user %s: %s", user.Username, err)

pkg/session/session.go

@@ -170,8 +170,6 @@ func ImpersonateUser(w http.ResponseWriter, r *http.Request, u *models.User, imp
 	sess.Impersonator = impersonator.ID
 	sess.Save(w)
 
-	// Ping the user's last login time.
-	u.LastLoginAt = time.Now()
 	return u.Save()
 }