You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by waf EID <ei...@gmail.com> on 2008/11/28 10:22:16 UTC
[users@httpd] X-CGI- Response Header Filtering
Hi,
I have an httpd server running CGI which use cookies to identify users.
The problem is that I would like to log the username in httpd logs.
The only solution I ve found is adding an HTTP Response Header called
X-CGI-USERNAME but I had to write a module that removes it *(because I don't
want my users to receive this header)* just after copying it in the httpd
environment* (so I can use it in LogFormat)*.
I've read in the *rfc3875 (CGI) line 1502:*
* There may be additional implementation-defined CGI header fields,
whose field names SHOULD begin with "X-CGI-". The server MAY ignore
(and delete) any unrecognized header fields with names beginning "X-
CGI-" that are received from the script.*
**
The question is: are you planning to make httpd filter headers starting with
X-CGI-, or do you have another solution so I don't have to use my own
module?
It would be great if you could add a directive that allows us to keep or
remove those headers.
Thanks in advance.
Re: [users@httpd] X-CGI- Response Header Filtering
Posted by waf EID <ei...@gmail.com>.
That's what I did but I would like to know if there's a better solution,
because I don't want to use my own module and I prefer to do this only by
using the directives that come with Apache and it's modules.
> I think the simplest solution would be to receive the response header,
> set an environment variable from that, then unset the header. You could
> then use the environment variable to log from.
>
Thank you for your proposition
Have a nice day
Re: [users@httpd] X-CGI- Response Header Filtering
Posted by Tom Evans <te...@googlemail.com>.
On Fri, 2008-11-28 at 10:22 +0100, waf EID wrote:
> Hi,
>
> I have an httpd server running CGI which use cookies to identify
> users.
> The problem is that I would like to log the username in httpd logs.
> The only solution I ve found is adding an HTTP Response Header called
> X-CGI-USERNAME but I had to write a module that removes it (because I
> don't want my users to receive this header) just after copying it in
> the httpd environment (so I can use it in LogFormat).
>
> I've read in the rfc3875 (CGI) line 1502:
> There may be additional implementation-defined CGI header fields,
> whose field names SHOULD begin with "X-CGI-". The server MAY
> ignore
> (and delete) any unrecognized header fields with names beginning
> "X-
> CGI-" that are received from the script.
>
> The question is: are you planning to make httpd filter headers
> starting with X-CGI-, or do you have another solution so I don't have
> to use my own module?
> It would be great if you could add a directive that allows us to keep
> or remove those headers.
>
>
> Thanks in advance.
If a directive was added to strip these headers (it already exists, as
Nick said), then it wouldn't actually help you. Logging happens almost
last in the request-response cycle, so if you still wanted to be able to
read that header in the log phase, you can't delete it.
I think the simplest solution would be to receive the response header,
set an environment variable from that, then unset the header. You could
then use the environment variable to log from.
You would have to write a small apache module to do that. Check out
http://www.apachetutor.org (and buy Nick's book as well :)
Cheers
Tom
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] X-CGI- Response Header Filtering
Posted by waf EID <ei...@gmail.com>.
Exactly but with mod_header it doesn't work. Because if you remove the
header, it is done before logging so when I use it in LogFormat, it's empty
and I just get a dash.
It would be great if it could remove it after logging or copy it in the
environment.
Thanks for your proposition anyway
On Fri, Nov 28, 2008 at 1:38 PM, Nick Kew <ni...@webthing.com> wrote:
> On Fri, 28 Nov 2008 10:22:16 +0100
> "waf EID" <ei...@gmail.com> wrote:
>
> > It would be great if you could add a directive that allows us to
> > keep or remove those headers.
>
> Something like "Header", maybe?
>
> --
> Nick Kew
>
> Application Development with Apache - the Apache Modules Book
> http://www.apachetutor.org/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] X-CGI- Response Header Filtering
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 28 Nov 2008 10:22:16 +0100
"waf EID" <ei...@gmail.com> wrote:
> It would be great if you could add a directive that allows us to
> keep or remove those headers.
Something like "Header", maybe?
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] X-CGI- Response Header Filtering
Posted by waf EID <ei...@gmail.com>.
> I have an httpd server running CGI ..
>>
> Can you be a bit more specific ? What kind of cgi-bin scripts/programs are
> you running ? can they be easily modified ? are you using perl/mod_perl ?
>
my CGI files are big binary programs and of course I can modify them, but I
can't rewrite them in perl or python so I can't change the httpd child
environment.
> The idea is, presumably your cgi-bin scripts "get" this user-id in order to
> work, yes ?
> Then the cgi-bin script itself could log this user-id, without needing to
> add a header to the HTTP request/response.
> Basically anything you print to STDERR in a cgi-bin, will end up in the
> Apache error log.
> You can also decide to log this in a separate logfile.
My CGI programs gets the user id from a database and it already logs it in
it's own log file.
The STDERR idea is good but I forgot to specify that I want the username in
the access log instead of the error log.
Thanks for your nice ideas.
Re: [users@httpd] X-CGI- Response Header Filtering
Posted by André Warnier <aw...@ice-sa.com>.
waf EID wrote:
> Hi,
>
> I have an httpd server running CGI ..
Can you be a bit more specific ? What kind of cgi-bin scripts/programs
are you running ? can they be easily modified ? are you using
perl/mod_perl ?
which use cookies to identify users.
> The problem is that I would like to log the username in httpd logs.
The idea is, presumably your cgi-bin scripts "get" this user-id in order
to work, yes ?
Then the cgi-bin script itself could log this user-id, without needing
to add a header to the HTTP request/response.
Basically anything you print to STDERR in a cgi-bin, will end up in the
Apache error log.
You can also decide to log this in a separate logfile.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org