[Web-SIG] Logging the authenticated user (was Re: Bowing out)
Clark C. Evans
cce at clarkevans.com
Wed Feb 8 02:22:33 CET 2006
You are correct, I'm convinced that response headers are the place
to include this sort of inter-middleware communication.
On Tue, Feb 07, 2006 at 12:28:09PM -0500, Phillip J. Eby wrote:
| * Add an optional 'wsgi.response_filtering' key to the spec. If its value
| is present and true, the server promises to prevent 'X-Internal-*' headers
| from being transmitted.
I absolutely love wsgi.response_filtering, only I feel that it should be
a *mutable* listing of the headers that the server should strip. If
the list is not present, then response filtering is not available. In
particular, I think that requring 'X-Internal-' is not quite explicit
enough and, at the same time, too limiting.
| * Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec,
| that indicates the authenticated user name. This should only be inserted
| into the response headers if 'wsgi.response_filtering' is in effect.
| * Require that any user-defined X-Internal headers include a product name,
| e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other
| products' user-defined headers.
| This would all be placed under a new section entitled "Internal Response
| Headers" and defined as an optional extension.
Sure; these are good suggestions.
More information about the Web-SIG