[Web-SIG] Logging the authenticated user (was Re: Bowing out)

Phillip J. Eby pje at telecommunity.com
Tue Feb 7 18:28:09 CET 2006 

At 12:02 PM 2/7/2006 -0500, Stephan Richter wrote:
>BTW, did we reach a conclusion on the user logging issue. We really, really
>need to solve that somehow. Anything you can come up with is fine by me; I'll
>trust you do the right thing.

As I mentioned, you can do this right now by offering and documenting an 
extension API.  You don't need a modification to the PEP to do this; it's 
sufficient for you to get together with the authors of the web servers you 
care about and hash out a working agreement.

To get it into the 'wsgi.*' namespace and included in the PEP as a 
"standard" optional extension, the bar is a bit higher, and it does require 
coming to some resolution about the remaining issues.  If I recall 
correctly, the question of which side (server or app) should be responsible 
for encoding issues was the remaining open item, aside from the name that 
should be used for the extension API.

Also IIRC, Ian Bicking had proposed that the server should be responsible 
for making sure that what it writes to the log is in a valid format for 
that log.  I'm inclined to agree, and think we should use a name like 
'wsgi.set_authenticated_user_name', with the API allowed to be called 
multiple times.

For future versions of WSGI, I'd prefer to send this kind of thing in 
response headers, since that would preserve functional composability 
better.  Indeed, I'd prefer to do it that way now, but too many people have 
objected to this as a security risk.

OTOH, an easy way to fix that would be for us to define a 
'wsgi.response_filtering' key that means the server will drop any 
'X-Internal-Foo' headers.  You can then simply avoid generating any 
internal communication headers unless the server promises to fix 
them.  And, as a side effect, this would close the encoding issue by 
definition; the format of response headers is already dictated by the WSGI 
and HTTP specs.

So, if there are no objections, I propose that we:

* Add an optional 'wsgi.response_filtering' key to the spec.  If its value 
is present and true, the server promises to prevent 'X-Internal-*' headers 
from being transmitted.

* Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec, 
that indicates the authenticated user name.  This should only be inserted 
into the response headers if 'wsgi.response_filtering' is in effect.

* Require that any user-defined X-Internal headers include a product name, 
e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other 
products' user-defined headers.

This would all be placed under a new section entitled "Internal Response 
Headers" and defined as an optional extension.

Any thoughts?

More information about the Web-SIG mailing list