[Web-SIG] Logging the authenticated user (was Re: Bowing out)
ianb at colorstudy.com
Tue Feb 7 18:50:49 CET 2006
Phillip J. Eby wrote:
> So, if there are no objections, I propose that we:
> * Add an optional 'wsgi.response_filtering' key to the spec. If its value
> is present and true, the server promises to prevent 'X-Internal-*' headers
> from being transmitted.
> * Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec,
> that indicates the authenticated user name. This should only be inserted
> into the response headers if 'wsgi.response_filtering' is in effect.
> * Require that any user-defined X-Internal headers include a product name,
> e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other
> products' user-defined headers.
> This would all be placed under a new section entitled "Internal Response
> Headers" and defined as an optional extension.
> Any thoughts?
Sounds good to me, and wsgi.response_filtering seems to address the
backward compatibility well. It would be easy, for instance, to apply
the filtering in the logging middleware if the server was not already
filtering the response, and set the key to represent that the filtering
was in place.
Ian Bicking / ianb at colorstudy.com / http://blog.ianbicking.org
More information about the Web-SIG