[Web-SIG] Logging the authenticated user (was Re: Bowing out)

Stephan Richter srichter at cosmos.phy.tufts.edu
Tue Feb 7 18:38:39 CET 2006

On Tuesday 07 February 2006 12:28, Phillip J. Eby wrote:
> * Add an optional 'wsgi.response_filtering' key to the spec.  If its value
> is present and true, the server promises to prevent 'X-Internal-*' headers
> from being transmitted.
> * Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec,
> that indicates the authenticated user name.  This should only be inserted
> into the response headers if 'wsgi.response_filtering' is in effect.
> * Require that any user-defined X-Internal headers include a product name,
> e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other
> products' user-defined headers.
> This would all be placed under a new section entitled "Internal Response
> Headers" and defined as an optional extension.
> Any thoughts?

This sounds really good! Thanks for the great summary and suggestions. As far 
as I can tell it solves all of our use cases and addresses our security 
concerns; i.e. not sending the username to the client.

Stephan Richter
CBU Physics & Chemistry (B.S.) / Tufts Physics (Ph.D. student)
Web2k - Web Software Design, Development and Training

More information about the Web-SIG mailing list