If you post to the CMD_LOGIN page directly from an external form, there would be 0 previous attempts, and the global login.hist file wouldn't have anything in it. This meant that there were 0 previous attempts (usually loading the DA login page counts as 1 attempt, hence you usually always see 1). The way it was written was the logging of the login only happend after on the first load of the true page, where the IP was cleared from the login.hist file. But since a direct login didn't have an entry, there was no IP, so logging to the login.log or user login.hist file never happened. Code has been changed around such that the actual writing of the session file in the same process as the CMD_LOGIN request will log to the login.log, user login.hist, and clear the global login.hist. Then another case for authorized connections that do not have sessions (aka: API calls) will log to the login.log for each request, but still not to the login.hist file to prevent flooding. All requests are still logged to the access log "2016-Nov-23.log" file (for example) This has the added benefit that the login.hist is not checked/cleared for each CMD_ call. Only on the initial creation of the session, or a failed login, so should speed up connections somewhat.