[Web-SIG] Communicating authenticated user information
jim at zope.com
Wed Jan 25 12:15:13 CET 2006
Michal Wallace wrote:
> On Tue, 24 Jan 2006, Jim Fulton wrote:
>>Michal Wallace wrote:
>>>Maybe I just don't understand why this is important. Can someone (Jim)
>>>explain why this
>>>is a requirement in the first place?
>>We do our own authentication for lots of reasons, including:
>>History has shown us that many users find this useful.
> No, I understand why you do your own authentication.
> Simply having the ability to log out trumps HTTP
> authentication every time.
> What I'm trying to understand is the next thought in
> the chain:
>>If Zope performs authentication, then we'd like
>>the authentication to show up in the access logs.
> Why do you want this?
> What do people do with the information?
Ask the authors of the Apache common log format.
When you see an entry in the access log, it is often useful to
- Was it a request from an anonymous user?
- If not who made the request?
Zope 3.2, which uses WSGI exclusively for HTTP requests no
longer has this information and we have recieved numerous
> To me it makes a lot more sense to log application-level
> events: so-and-so tried to do this, etc... Whereas at
> the web server log level, you're logging that so-and-so's
> browser requested a gif or a css file.
We are also logging requests that change application state.
For these, some indication of who performed the action is
important. Or you might be logging a request in which
someone is downloading information that requires login,
perhaps because someone had to pay for the piviledge.
Jim Fulton mailto:jim at zope.com Python Powered!
CTO (540) 361-1714 http://www.python.org
Zope Corporation http://www.zope.com http://www.zope.org
More information about the Web-SIG