httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] No remote user in LOG file in CGI (HTTP Authentification)
Date Fri, 03 Aug 2007 15:28:55 GMT
On 8/3/07, apache.org@eurower.com <apache.org@eurower.com> wrote:
> Hi,
>
> Authentification is configured by PHP, it send to the browser required
> headers in order to provide authentification :
> header("WWW-Authenticate: Basic realm=\"Realm\"");
> header("HTTP/1.0 401 Unauthorized");
>
> For the CGI, it is called in Apache CONF as following :
> AddHandler cgi-php5 .php5 .php
> Action cgi-php5 /php5/php5-cgi
> SuexecUserGroup <existing_user> users
>
> where /php5/php5-cgi is the executable compiled CGI PHP and
> <existing_user> is an non privilegied user of the unix system.
> So the PHP (CGI) script is executed with <existing_user> privilege.
>
> The authentification mechanism is OK, I login in the CGI script
> perfectly with credential titi:toto but logs'apache don't indicate titi
> as %<u (LogFormat)

Ok, that's because apache never authenticates the user, so there is no
user to speak of as far as apache is concerned.

Normally you aren't even allowed to do authentication in cgi scripts
(unless you use SECURITY_HOLE_PASS_AUTHORIZATION when compiling),
since anyone else with an account on the same box could steal the
password out of the environment. You are getting around that with some
mod_rewrite trickery.

If you really need the userid in the logs, then the only way to get it
will be to have your CGI script supply it, since your CGI script is
doing the auth work. One way to do that would be to have your CGI
script send an additional response header containing the userid and
then log that response header. So, for example, you CGI script could
write X-Auth-User: userid and then you could include %{X-Auth-User}o
in your log format string. (Then you could use Header unset to get rid
of it before it wen to the client if you want. But that isn't strictly
necessary since the userid isn't normally confidential.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message