diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4d1437e..44d71a4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # 变更日志
 
+## 2026-05-18
+
+- [修复] 用户管理"最后登录"时间不动态更新：SSO 免登录、本地 JWT 会话验证路径现在也会更新 `last_login_at`（此前仅密码登录路径更新，导致 SSO 用户始终显示"从未登录"）
+
 ## 2026-05-15
 
 - [修复] middleware 移除 `better-sqlite3` 依赖，修复 Edge Runtime 不支持 Node.js 原生模块的编译报错（`The edge runtime does not support Node.js 'fs' module`）
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index e3e1fbd..249dea3 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -29,7 +29,7 @@ export async function getCurrentUser(): Promise<UserPayload | null> {
         'SELECT id, username, display_name, role FROM users WHERE username = ? AND is_active = 1'
       ).get(sharedPayload.username) as UserPayload | undefined
       if (row) {
-        db.prepare("UPDATE users SET last_active_at = datetime('now', '+8 hours') WHERE id = ?").run(row.id)
+        db.prepare("UPDATE users SET last_login_at = datetime('now', '+8 hours'), last_active_at = datetime('now', '+8 hours') WHERE id = ?").run(row.id)
         row.permissions = getUserPermissions(row.role)
         return row
       }
@@ -53,7 +53,7 @@ export async function getCurrentUser(): Promise<UserPayload | null> {
   const payload = await verifyToken(token)
   if (payload) {
     const db2 = getDb()
-    db2.prepare("UPDATE users SET last_active_at = datetime('now', '+8 hours') WHERE id = ?").run(payload.id)
+    db2.prepare("UPDATE users SET last_login_at = datetime('now', '+8 hours'), last_active_at = datetime('now', '+8 hours') WHERE id = ?").run(payload.id)
     payload.permissions = getUserPermissions(payload.role)
   }
   return payload