>Number: 5170 >Category: config >Synopsis: Cannot configure Apache to log successfull login authorization. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: change-request >Submitter-Id: apache >Arrival-Date: Tue Oct 19 13:40:02 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.4 >Environment: Solaris-6 x86 >Description: There appears to be no way to configure the Apache server such that it will create a log entry when a person successfully logs in. The server does create an entry in the error log when a person is denied access.
Why this is important: I need to be able to tell how many concurrent logins are active for a given account. This is necessary to prevent the accounts from being raided when someone posts the account information to a "password" site. This is a problem common to all pay sites. Why access log scanning does not work: The access logs can be scanned for information such as multiple IP addresses accessing the site within a given time frame but this has serious limitations. Some users can have their IP address change with every request because of the service they use (AOL, etc.). Cookies won't work either for the same reason. There is not a strict 1:1 relationship between cookies and athorizations. >How-To-Repeat: >Fix: Since there are several authorization modules, it would be best if this could be done via a change to the mod_log_config module. This assumes that mod_log_config has access to the status of an authorization event. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]