httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@www.elsevier.co.uk>
Subject Logging users of protected resources...
Date Tue, 28 Mar 1995 13:19:45 GMT

More on log files in 0.3...

The standard log format is eg:

193.131.199.44 - - [28/Mar/1995:12:50:18 +0100] "GET /Images/construction.89.gif HTTP/1.0"
200 242

Where the second '-' is really the user name entered for a password protected
space.  It's highly likely that billing models will need this field to contain
a sensible value, and on a normal .html file the value is recorded properly.

If the file has server-side includes (ie it's a u+x or .shtml file) then
I find that the 'user' entry is recorded as '-', even though a uid/pwd
is required and given for the main including file.

Every call to http_auth.c's check_auth() routine will reset the value of
'user', and auth_check() is called each time a to-be-included file is
accessed. This means that <!--#include'd files which aren't protected in any
way will trash the user record in the log file.

There would seem to be two solutions:

1)	Ensure that all to-be-included files are protected by the same
	uid/pwd combination as the main file.  The correct 'user' value is
	then recorded in the log file.

	This sucks, because it imposes an overhead for checking passwords
	for files which don't contain anything of value, like copyright tags,
	author info and time-stamp page headers.

2)	Make it so that only the first access effects the value of 'user'.
	Operationally this has the side effect of not recording the, possibly
	different 'user' information protecting to-be-included files.

	We can reset the value of 'user' when the first access is made and
	subsequent calls to check_auth will only write to the 'user' variable
	when user[0] != '\0';  The log file entry will then record the correct
	value.

Questions:

3)	Does anyone run any form of .htaccess protection on files that they
	include into their documents?

As it stands the logfile is pretty useless for user tracking when the site also
makes heavy use of <!--#include file="foo" -->.  I think it's important that
0.4 carries a useful fix, and I can patch it up if people want.


Cheers,
Ay.

     Andrew Wilson	     URL: http://www.cm.cf.ac.uk/User/Andrew.Wilson/
Elsevier Science, Oxford   Office: +44 0865 843155     Mobile: +44 0589 616144


Mime
View raw message