[Web-SIG] Logging the authenticated user (was Re: Bowing out)
Stephan Richter
srichter at cosmos.phy.tufts.edu
Tue Feb 7 18:38:39 CET 2006
On Tuesday 07 February 2006 12:28, Phillip J. Eby wrote:
> * Add an optional 'wsgi.response_filtering' key to the spec. If its value
> is present and true, the server promises to prevent 'X-Internal-*' headers
> from being transmitted.
>
> * Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec,
> that indicates the authenticated user name. This should only be inserted
> into the response headers if 'wsgi.response_filtering' is in effect.
>
> * Require that any user-defined X-Internal headers include a product name,
> e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other
> products' user-defined headers.
>
> This would all be placed under a new section entitled "Internal Response
> Headers" and defined as an optional extension.
>
> Any thoughts?
This sounds really good! Thanks for the great summary and suggestions. As far
as I can tell it solves all of our use cases and addresses our security
concerns; i.e. not sending the username to the client.
Regards,
Stephan
--
Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training
More information about the Web-SIG
mailing list