Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64394

Users authenticated via pre_loginpage_hook are not correctly set in the apachelog

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      A simple way to test is using the auth_basic plugin:

      https://github.com/catalyst/moodle-auth_basic

       

      First test using the nginx / X-header way of logging

      1) Set $CFG->headerloguser = 3; in config.php

      Use the http header in the logs, apache config:

      LogFormat "%h %l – %{X-MOODLEUSER}o – %t \"%r\" %s %b " moodleformat
       CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat

      2) install the auth basic plugin (and enable it)

      3) Create a test user and set their auth type to 'basic'

      4) Attempt an auth from the cli:

       

      curl -sv --user test-user:test-pass http://moodle.local/my/ > /dev/null
      

      Without the patch you will not see this header, but the patch you will see this http header:

      < X-MOODLEUSER: test-user

      Also confirm it comes through the logs

       

      Rinse and repeat using the apache note method

      1) Set $CFG->apacheloguser = 3; in config.php

      2) Check your apache logs to include the user using this log format:

      LogFormat "%h %l – %{MOODLEUSER}n – %t \"%r\" %s %b " moodleformat
       CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat

      3) Repeat cli auth step above and check things come out in the access logs

      eg

       

      127.0.0.1 - test-user [14/Dec/2018:14:49:54 +1100] "GET / HTTP/1.1" 200 1397446
       
      

       

      Show
      A simple way to test is using the auth_basic plugin: https://github.com/catalyst/moodle-auth_basic   First test using the nginx / X-header way of logging 1) Set $CFG->headerloguser = 3; in config.php Use the http header in the logs, apache config: LogFormat "%h %l – %{X-MOODLEUSER}o – %t \"%r\" %s %b " moodleformat CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat 2) install the auth basic plugin (and enable it) 3) Create a test user and set their auth type to 'basic' 4) Attempt an auth from the cli:   curl -sv --user test-user:test-pass http: //moodle.local/my/ > /dev/null Without the patch you will not see this header, but the patch you will see this http header: < X-MOODLEUSER: test-user Also confirm it comes through the logs   Rinse and repeat using the apache note method 1) Set $CFG->apacheloguser = 3; in config.php 2) Check your apache logs to include the user using this log format: LogFormat "%h %l – %{MOODLEUSER}n – %t \"%r\" %s %b " moodleformat CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat 3) Repeat cli auth step above and check things come out in the access logs eg   127.0.0.1 - test-user [14/Dec/2018:14:49:54 +1100] "GET / HTTP/1.1" 200 1397446    
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE
    • Pull 3.5 Branch:
      MDL-64394-accesslog-MOODLE_35_STABLE
    • Pull 3.6 Branch:
      MDL-64394-accesslog-MOODLE_36_STABLE
    • Pull Master Branch:
      MDL-64394-accesslog

      Description

      If a user logs in via and auth method that supports the $authplugin->pre_loginpage_hook(), eg auth_saml2 or auth_basic, they are logged in over the course of a single http request without being redirected.

      But if you are logging the user to the web server access logs using either

      $CFG->apacheloguser
      

      or 

      $CFG->headerloguser 
      

      Then this means the first request doesn't correctly show that user in the logs because these headers / apache note are set in setup lib which is well before require_login() may be called later on.

      We just need to refactor that chunk of code out of setup.php and if the $USER global changes as a result of pre_loginpage_hook then call it a second time to update the headers / apache note before they are sent over the wire.

       

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/May/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours
                  5h