NOTE: If you are a developer, please use a private wiki based on foswiki/trunk on a daily base ...or use trunk.foswiki.org to view this page for some minimal testing.
Use Item9693 for docu changes for 1.2 and 2.0.
You are here: Foswiki>Tasks Web>Item8851 (08 Sep 2010, KennethLavrsen) Edit this topic text (e) Attach an image or document to this topic; manage existing attachments (a) View sequential topic history View without formatting (v) Create new topic Printable version of this topic (p) More: delete or rename this topic; set parent topic; view and compare revisions (m)

Item8851: TemplateLogin does not log failure and other events.

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Engine TemplateLogin  
TemplateLogin doesn't log any login failures or successes. This makes it difficult to detect and control certain attacks.

Session events including Login Success, Failure and Logout should be logged. I propose the following changes to address this issue: 

Index: LoginManager.pm
===================================================================
--- LoginManager.pm     (revision 7103)
+++ LoginManager.pm     (working copy)
@@ -400,6 +400,7 @@
         }
         else {
             _trace( $this, "User is logging out" );
+            $session->logEvent( 'logout', ' ', "AUTHENTICATION LOGOUT - $authUser - " );

             #TODO: consider if we should risk passing on the urlparams on logout
             my $path_info = $session->{request}->path_info();
Index: LoginManager/TemplateLogin.pm
===================================================================
--- LoginManager/TemplateLogin.pm       (revision 7103)
+++ LoginManager/TemplateLogin.pm       (working copy)
@@ -160,6 +160,7 @@
             # the params passed to this script, and they will be used
             # in loadSession if no other user info is available.
             $this->userLoggedIn($loginName);
+            $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION SUCCESS - $loginName - " );

             # remove the sudo param - its only to tell TemplateLogin
             # that we're using BaseMapper..
@@ -189,6 +190,7 @@
         }
         else {
             $session->{response}->status(403);
+            $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION FAILURE - $loginName - " );
             $banner = $session->templates->expandTemplate('UNRECOGNISED_USER');
         }
     }

-- GeorgeClark - 06 Apr 2010

 

ItemTemplate edit

Summary TemplateLogin does not log failure and other events.
ReportedBy GeorgeClark
Codebase 1.0.9, trunk
SVN Range
AppliesTo Engine
Component TemplateLogin
Priority Urgent
CurrentState Closed
WaitingFor
Checkins Foswikirev:7107 Foswikirev:7113
TargetRelease patch
ReleasedIn 1.0.10, 1.1.0
Edit | Attach | Print version | History: r7 < r6 < r5 < r4 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r7 - 08 Sep 2010, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons LicenseGet Foswiki at sourceforge.net. Fast, secure and Free Open Source software downloads