[Web-SIG] Logging the authenticated user (was Re: Bowing out)

Clark C. Evans cce at clarkevans.com
Wed Feb 8 02:22:33 CET 2006


You are correct, I'm convinced that response headers are the place
to include this sort of inter-middleware communication.

On Tue, Feb 07, 2006 at 12:28:09PM -0500, Phillip J. Eby wrote:
| * Add an optional 'wsgi.response_filtering' key to the spec.  If its value 
| is present and true, the server promises to prevent 'X-Internal-*' headers 
| from being transmitted.

I absolutely love wsgi.response_filtering, only I feel that it should be
a *mutable* listing of the headers that the server should strip.  If
the list is not present, then response filtering is not available. In
particular, I think that requring 'X-Internal-' is not quite explicit
enough and, at the same time, too limiting.

| * Add an optional 'X-Internal-WSGI-Authenticated-User' header to the spec, 
| that indicates the authenticated user name.  This should only be inserted 
| into the response headers if 'wsgi.response_filtering' is in effect.
| * Require that any user-defined X-Internal headers include a product name, 
| e.g. 'X-Internal-Zope-Foo', to avoid conflict with WSGI-defined or other 
| products' user-defined headers.
| This would all be placed under a new section entitled "Internal Response 
| Headers" and defined as an optional extension.

Sure; these are good suggestions.



More information about the Web-SIG mailing list