Foswiki on GitHub is open for business! Next release meeting: Monday September 29, 1300Z

Item8851: TemplateLogin does not log failure and other events.

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine TemplateLogin  
TemplateLogin doesn't log any login failures or successes. This makes it difficult to detect and control certain attacks.

Session events including Login Success, Failure and Logout should be logged. I propose the following changes to address this issue:

Index: LoginManager.pm
===================================================================
--- LoginManager.pm     (revision 7103)
+++ LoginManager.pm     (working copy)
@@ -400,6 +400,7 @@
         }
         else {
             _trace( $this, "User is logging out" );
+            $session->logEvent( 'logout', ' ', "AUTHENTICATION LOGOUT - $authUser - " );

             #TODO: consider if we should risk passing on the urlparams on logout
             my $path_info = $session->{request}->path_info();
Index: LoginManager/TemplateLogin.pm
===================================================================
--- LoginManager/TemplateLogin.pm       (revision 7103)
+++ LoginManager/TemplateLogin.pm       (working copy)
@@ -160,6 +160,7 @@
             # the params passed to this script, and they will be used
             # in loadSession if no other user info is available.
             $this->userLoggedIn($loginName);
+            $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION SUCCESS - $loginName - " );

             # remove the sudo param - its only to tell TemplateLogin
             # that we're using BaseMapper..
@@ -189,6 +190,7 @@
         }
         else {
             $session->{response}->status(403);
+            $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION FAILURE - $loginName - " );
             $banner = $session->templates->expandTemplate('UNRECOGNISED_USER');
         }
     }

-- GeorgeClark - 06 Apr 2010

 

ItemTemplate edit

Summary TemplateLogin does not log failure and other events.
ReportedBy GeorgeClark
Codebase 1.0.9, trunk
SVN Range
AppliesTo Engine
Component TemplateLogin
Priority Urgent
CurrentState Closed
WaitingFor
Checkins Foswikirev:7107 Foswikirev:7113
TargetRelease patch
ReleasedIn 1.0.10, 1.1.0
Topic revision: r7 - 08 Sep 2010, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License