You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jimmy Lantz <ji...@lusidor.com> on 2002/08/09 16:01:10 UTC

Log Basic Auth Login possible?

Hi,

I'm looking for a way to log Basic AUTH logins:
I have been googling and looking in the HTTP 1.1 RFC, searching through the 
manual.

I'm thinking that there might be a way to do this using SetEnvIf  & CustomLog.

But my problem is how do I distinguish between the firs actual "login" and 
there after usage. Is there a change in headers? on just the first?
If i would a loggging everytime Remote_User is available and not null I 
would get users activities.
But that would include all activities not only the first login sequence.

Any tips/pointers on what I could do to achieve this?

TIA
JImmy




I know that first a 401 is sent to client then a 200 and username is set.
192.168.1.2 - - [09/Aug/2003:23:13:58 +0200] "GET / HTTP/1.1" 401 409
192.168.1.2 - admin [09/Aug/2003:23:14:40 +0200] "GET / HTTP/1.1" 200 1054




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Log Basic Auth Login possible?

Posted by Zac Stevens <zt...@cryptocracy.com>.

Hi Jimmy,

On Fri, Aug 09, 2002 at 04:01:10PM +0200, Jimmy Lantz wrote:
> But my problem is how do I distinguish between the firs actual "login" and 
> there after usage. Is there a change in headers? on just the first?
> If i would a loggging everytime Remote_User is available and not null I 
> would get users activities.
> But that would include all activities not only the first login sequence.

Unfortunately, you can't do this (at least, not reliably) as HTTP is a
stateless protocol.  There is no concept of a "login" - what really happens
is that the client starts supplying authentication credentials along with
the request.

> Any tips/pointers on what I could do to achieve this?

If you have a login page on your site, you may wish to check the logs for
people succesfully moving on past that page.  This will be particularly
useful if that page is only hit once at the start of a user's session - if
not, you will have to define a login as the first auth appearance after a
given length of time - say, five minutes.

You may also want to investigate setting a session cookie as part of your
login, which would probably provide you with more help in accurately
determining login times.

HTH,

Zac

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org