You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Charles Sliger <ch...@reliant.com> on 1999/10/19 22:32:55 UTC

config/5170: Cannot configure Apache to log successfull login authorization.

>Number:         5170
>Category:       config
>Synopsis:       Cannot configure Apache to log successfull login authorization.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          change-request
>Submitter-Id:   apache
>Arrival-Date:   Tue Oct 19 13:40:02 PDT 1999
>Last-Modified:
>Originator:     chaz@reliant.com
>Organization:
apache
>Release:        1.3.4
>Environment:
Solaris-6 x86
>Description:
There appears to be no way to configure the Apache server such that it will
create a log entry when a person successfully logs in.
The server does create an entry in the error log when a person is denied
access.

Why this is important:
I need to be able to tell how many concurrent logins are active for a given
account.
This is necessary to prevent the accounts from being raided when someone
posts the account information to a "password" site.
This is a problem common to all pay sites.

Why access log scanning does not work:
The access logs can be scanned for information such as multiple IP addresses
accessing the site within a given time frame but this has serious limitations.
Some users can have their IP address change with every request because of
the service they use (AOL, etc.).

Cookies won't work either for the same reason.  There is not a strict 1:1
relationship between cookies and athorizations.
>How-To-Repeat:

>Fix:
Since there are several authorization modules, it would be best if this
could be done via a change to the mod_log_config module.
This assumes that mod_log_config has access to the status of an
authorization event.
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or      ]
["Re: general/1098:").  If the subject doesn't match this       ]
[pattern, your message will be misfiled and ignored.  The       ]
["apbugs" address is not added to the Cc line of messages from  ]
[the database automatically because of the potential for mail   ]
[loops.  If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request from a  ]
[developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]