database – Why is it that not all users have a ‘session_tokens’ meta_key record in the usermeta table?

When a session is destroyed, it’s removed from the list in the meta. Importantly, if the list is empty, the meta is deleted.

So if a user logs out, if a session expires, if a user is deleted, or if the user clears their sessions on their profile page, these can all result in no sessions, so no user meta.

The root problem is a misunderstanding of what these sessions are. It is not the time of the last login, it is the time that the active sessions started.

So, if I log in on a desktop on Monday, a mobile on Tuesday, and then log out of the mobile on Wednesday, your code will say I last logged in Monday, not Tuesday. The session for the mobile ended, and was cleaned up.

This way, it is possible to log in without detection. This method cannot be used to reliably detect the last time the user was seen.