[Web-SIG] Communicating authenticated user information
Jim Fulton
jim at zope.com
Wed Jan 25 12:15:13 CET 2006
Michal Wallace wrote:
> On Tue, 24 Jan 2006, Jim Fulton wrote:
>
>
>>Michal Wallace wrote:
>>
>>
>>>Maybe I just don't understand why this is important. Can someone (Jim)
>>>explain why this
>>>is a requirement in the first place?
>>
>>We do our own authentication for lots of reasons, including:
>
> ...
>
>>History has shown us that many users find this useful.
>
>
>
> No, I understand why you do your own authentication.
> Simply having the ability to log out trumps HTTP
> authentication every time.
>
> What I'm trying to understand is the next thought in
> the chain:
>
>
>>If Zope performs authentication, then we'd like
>>the authentication to show up in the access logs.
>
>
> Why do you want this?
> What do people do with the information?
Ask the authors of the Apache common log format.
When you see an entry in the access log, it is often useful to
know:
- Was it a request from an anonymous user?
- If not who made the request?
Zope 3.2, which uses WSGI exclusively for HTTP requests no
longer has this information and we have recieved numerous
complaints.
> To me it makes a lot more sense to log application-level
> events: so-and-so tried to do this, etc... Whereas at
> the web server log level, you're logging that so-and-so's
> browser requested a gif or a css file.
We are also logging requests that change application state.
For these, some indication of who performed the action is
important. Or you might be logging a request in which
someone is downloading information that requires login,
perhaps because someone had to pay for the piviledge.
Jim
--
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG
mailing list