[Web-SIG] Communicating authenticated user information

Jim Fulton jim at zope.com
Wed Jan 25 12:15:13 CET 2006

Michal Wallace wrote:
> On Tue, 24 Jan 2006, Jim Fulton wrote:
>>Michal Wallace wrote:
>>>Maybe I just don't understand why this is important. Can someone (Jim)
>>>explain why this
>>>is a requirement in the first place?
>>We do our own authentication for lots of reasons, including:
> ... 
>>History has shown us that many users find this useful.
> No, I understand why you do your own authentication.
> Simply having the ability to log out trumps HTTP 
> authentication every time. 
> What I'm trying to understand is the next thought in
> the chain:
>>If Zope performs authentication, then we'd like 
>>the authentication to show up in the access logs.
> Why do you want this? 
> What do people do with the information?

Ask the authors of the Apache common log format.

When you see an entry in the access log, it is often useful to

- Was it a request from an anonymous user?

- If not who made the request?

Zope 3.2, which uses WSGI exclusively for HTTP requests no
longer has this information and we have recieved numerous

> To me it makes a lot more sense to log application-level
> events: so-and-so tried to do this, etc... Whereas at
> the web server log level, you're logging that so-and-so's 
> browser requested a gif or a css file.

We are also logging requests that change application state.
For these, some indication of who performed the action is
important.  Or you might be logging a request in which
someone is downloading information that requires login,
perhaps because someone had to pay for the piviledge.


Jim Fulton           mailto:jim at zope.com       Python Powered!
CTO                  (540) 361-1714            http://www.python.org
Zope Corporation     http://www.zope.com       http://www.zope.org

More information about the Web-SIG mailing list