Item8851: TemplateLogin does not log failure and other events.

Priority: Urgent
Current State: Closed
Released In: 1.0.10, 1.1.0
Target Release: patch
Applies To: Engine
Component: TemplateLogin
Reported By: GeorgeClark
Waiting For:
Last Change By: KennethLavrsen
TemplateLogin doesn't log any login failures or successes. This makes it difficult to detect and control certain attacks.

Session events including Login Success, Failure and Logout should be logged. I propose the following changes to address this issue:

Index: LoginManager.pm
===================================================================
--- LoginManager.pm     (revision 7103)
+++ LoginManager.pm     (working copy)
@@ -400,6 +400,7 @@
         }
         else {
             _trace( $this, "User is logging out" );
+            $session->logEvent( 'logout', ' ', "AUTHENTICATION LOGOUT - $authUser - " );

             #TODO: consider if we should risk passing on the urlparams on logout
             my $path_info = $session->{request}->path_info();
Index: LoginManager/TemplateLogin.pm
===================================================================
--- LoginManager/TemplateLogin.pm       (revision 7103)
+++ LoginManager/TemplateLogin.pm       (working copy)
@@ -160,6 +160,7 @@
             # the params passed to this script, and they will be used
             # in loadSession if no other user info is available.
             $this->userLoggedIn($loginName);
+            $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION SUCCESS - $loginName - " );

             # remove the sudo param - its only to tell TemplateLogin
             # that we're using BaseMapper..
@@ -189,6 +190,7 @@
         }
         else {
             $session->{response}->status(403);
+            $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION FAILURE - $loginName - " );
             $banner = $session->templates->expandTemplate('UNRECOGNISED_USER');
         }
     }

-- GeorgeClark - 06 Apr 2010

 

ItemTemplate edit

Summary TemplateLogin does not log failure and other events.
ReportedBy GeorgeClark
Codebase 1.0.9, trunk
SVN Range
AppliesTo Engine
Component TemplateLogin
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:c514b3ecba09 distro:b331728a48e7
TargetRelease patch
ReleasedIn 1.0.10, 1.1.0
Topic revision: r7 - 08 Sep 2010, KennethLavrsen
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License