Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64394

Users authenticated via pre_loginpage_hook are not correctly set in the apachelog

    XMLWordPrintable

Details

    • MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_35_STABLE, MOODLE_36_STABLE
    • MDL-64394-accesslog
    • Hide

      A simple way to test is using the auth_basic plugin:

      https://github.com/catalyst/moodle-auth_basic

       

      First test using the nginx / X-header way of logging

      1) Set $CFG->headerloguser = 3; in config.php

      Use the http header in the logs, apache config:

      LogFormat "%h %l – %{X-MOODLEUSER}o – %t \"%r\" %s %b " moodleformat
       CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat

      2) install the auth basic plugin (and enable it)

      3) Create a test user and set their auth type to 'basic'

      4) Attempt an auth from the cli:

       

      curl -sv --user test-user:test-pass http://moodle.local/my/ > /dev/null
      

      Without the patch you will not see this header, but the patch you will see this http header:

      < X-MOODLEUSER: test-user

      Also confirm it comes through the logs

       

      Rinse and repeat using the apache note method

      1) Set $CFG->apacheloguser = 3; in config.php

      2) Check your apache logs to include the user using this log format:

      LogFormat "%h %l – %{MOODLEUSER}n – %t \"%r\" %s %b " moodleformat
       CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat

      3) Repeat cli auth step above and check things come out in the access logs

      eg

       

      127.0.0.1 - test-user [14/Dec/2018:14:49:54 +1100] "GET / HTTP/1.1" 200 1397446
       
      

       

      Show
      A simple way to test is using the auth_basic plugin: https://github.com/catalyst/moodle-auth_basic   First test using the nginx / X-header way of logging 1) Set $CFG->headerloguser = 3; in config.php Use the http header in the logs, apache config: LogFormat "%h %l – %{X-MOODLEUSER}o – %t \"%r\" %s %b " moodleformat CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat 2) install the auth basic plugin (and enable it) 3) Create a test user and set their auth type to 'basic' 4) Attempt an auth from the cli:   curl -sv --user test-user:test-pass http: //moodle.local/my/ > /dev/null Without the patch you will not see this header, but the patch you will see this http header: < X-MOODLEUSER: test-user Also confirm it comes through the logs   Rinse and repeat using the apache note method 1) Set $CFG->apacheloguser = 3; in config.php 2) Check your apache logs to include the user using this log format: LogFormat "%h %l – %{MOODLEUSER}n – %t \"%r\" %s %b " moodleformat CustomLog ${APACHE_LOG_DIR}/moodle.local/access.log moodleformat 3) Repeat cli auth step above and check things come out in the access logs eg   127.0.0.1 - test-user [14/Dec/2018:14:49:54 +1100] "GET / HTTP/1.1" 200 1397446    

    Description

      If a user logs in via and auth method that supports the $authplugin->pre_loginpage_hook(), eg auth_saml2 or auth_basic, they are logged in over the course of a single http request without being redirected.

      But if you are logging the user to the web server access logs using either

      $CFG->apacheloguser
      

      or 

      $CFG->headerloguser 
      

      Then this means the first request doesn't correctly show that user in the logs because these headers / apache note are set in setup lib which is well before require_login() may be called later on.

      We just need to refactor that chunk of code out of setup.php and if the $USER global changes as a result of pre_loginpage_hook then call it a second time to update the headers / apache note before they are sent over the wire.

       

      Attachments

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              brendanheywood Brendan Heywood
              Ilya Tregubov Ilya Tregubov
              Andrew Lyons Andrew Lyons
              Amaia Anabitarte Amaia Anabitarte
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                13/May/19

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 5 hours
                  5h