[Web-SIG] Communicating authenticated user information
Michal Wallace
michal at sabren.com
Tue Jan 24 18:35:48 CET 2006
On Tue, 24 Jan 2006, Jim Fulton wrote:
> Phillip J. Eby wrote:
> ...
> > I'm pointing out that the use case under consideration isn't specific
> > *enough* yet. Do people's log files support unicode? Do the
> > authentication systems? This hasn't been made clear, and it should be.
>
> I agree. I think we should be guided by the common log file format.
> Log data are written to files and are thus not unicode. The user
> info is *just* documentation, so it is really up to the app what to
> show imo. Further, because the common log file format is space
> delimited, the user info cannot contain spaces.
I'm curious. Suppose that a subset of your site
or application requires users to log in through
an HTML form, but that for some reason there's
also a general HTTP authentication username and
password over the whole system.
Which username should the web server log?
I think you guys are trying to solve this at
the wrong level. This problem should be
handled by the web server itself. Even if you
want to use your own custom forms, there is
already a really nice solution to this problem
for apache:
http://aspn.activestate.com/ASPN/CodeDoc/Apache-AuthCookie/AuthCookie.html
If a particular webserver doesn't allow this
sort of approach, then maybe the work should
be done there?
Meanwhile, you can always do your own logging
for the events you actually want to record at
the application layer.
Maybe I just don't understand why this is
important. Can someone (Jim) explain why this
is a requirement in the first place?
Sincerely,
Michal J Wallace
Sabren Enterprises, Inc.
-------------------------------------
contact: michal at sabren.com
hosting: http://www.cornerhost.com/
my site: http://www.withoutane.com/
-------------------------------------
More information about the Web-SIG
mailing list