Return-Path: owner-new-httpd
Received: by taz.hyperreal.com (8.6.10/8.6.5) id KAA08829;
 Tue, 4 Apr 1995 10:43:20 -0700
Received: from get.wired.com by taz.hyperreal.com (8.6.10/8.6.5) with ESMTP id
 KAA08808; Tue, 4 Apr 1995 10:43:10 -0700
Received: by get.wired.com (8.6.12/8.6.5) id JAA12833;
 Tue, 4 Apr 1995 09:42:51 -0800
Date: Tue, 4 Apr 1995 09:42:50 -0800 (PST)
From: Brian Behlendorf <brian@wired.com>
To: new-httpd@hyperreal.com
Subject: Re: Logging of remote_user
In-Reply-To: <m0rw9te-0003p6C@cass39.ast.cam.ac.uk>
Message-ID: <Pine.BSD.3.91.950404093953.7602X-100000@get.wired.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-new-httpd@hyperreal.com
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Tue, 4 Apr 1995, David Robinson wrote:
> Currently httpd only logs any username for protected documents. How do folks
> feel about my changing this so that it logs any remote username sent by the
> client (as part of authentication data), even if the document being
> accessed was not protected?
> 
> I've found another bug in the handling of the user information, and it might
> be convenient to change the logging in the manner I described.

It should only record it for protected documents.  Some browsers are 
"promiscuous" and send authentication info even for resources not under 
authentication, and that behavior shouldn't be rewarded or recognized. 
Besides, when I was learning how to set up access control it was a very 
good way to know I was doing things right - adding ambiguity there would 
have been confusing.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/