Item8851: TemplateLogin does not log failure and other events.
Priority: Urgent
Current State: Closed
Released In: 1.0.10, 1.1.0
Target Release: patch
TemplateLogin doesn't log any login failures or successes. This makes it difficult to detect and control certain attacks.
Session events including Login Success, Failure and Logout should be logged. I propose the following changes to address this issue:
Index: LoginManager.pm
===================================================================
--- LoginManager.pm (revision 7103)
+++ LoginManager.pm (working copy)
@@ -400,6 +400,7 @@
}
else {
_trace( $this, "User is logging out" );
+ $session->logEvent( 'logout', ' ', "AUTHENTICATION LOGOUT - $authUser - " );
#TODO: consider if we should risk passing on the urlparams on logout
my $path_info = $session->{request}->path_info();
Index: LoginManager/TemplateLogin.pm
===================================================================
--- LoginManager/TemplateLogin.pm (revision 7103)
+++ LoginManager/TemplateLogin.pm (working copy)
@@ -160,6 +160,7 @@
# the params passed to this script, and they will be used
# in loadSession if no other user info is available.
$this->userLoggedIn($loginName);
+ $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION SUCCESS - $loginName - " );
# remove the sudo param - its only to tell TemplateLogin
# that we're using BaseMapper..
@@ -189,6 +190,7 @@
}
else {
$session->{response}->status(403);
+ $session->logEvent( 'login', $web . '.' . $topic, "AUTHENTICATION FAILURE - $loginName - " );
$banner = $session->templates->expandTemplate('UNRECOGNISED_USER');
}
}
--
GeorgeClark - 06 Apr 2010