Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set X-Jethro-User header, etc, to identify user operations in webserver logs #851

Merged
merged 2 commits into from Feb 9, 2023
Merged

Set X-Jethro-User header, etc, to identify user operations in webserver logs #851

merged 2 commits into from Feb 9, 2023

Conversation

jefft
Copy link
Contributor

@jefft jefft commented Jan 23, 2023

In webserver access logs, it is useful to see which Jethro user made each request. This patch makes that possible to adding 3 new HTTP response headers:

  • X-Jethro-User is the username (for staff) or email (for members)
  • X-Jethro-UID is the internal ID. This is consistent across staff/member logins which might make it preferable to X-Jethro-User (also avoids logging PII).
  • X-Jethro-Session is a subset (for privacy) of the session id

These could be used in an Apache LogFormat directive as follows:

LogFormat "%v:%p %a %{X-Jethro-Session}o %{X-Jethro-User}o %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %D uid=%{X-Jethro-UID}o" vhost_combined_timed

Note: it is also possible to pass 'notes' from PHP to Apache:

apache_note('jethrouser', array_get($_SESSION['user'], 'username'));

then logged with %{jethrouser}n. However apache_note() doesn't work with php-fpm, or other webservers like nginx, so headers are better.

@jefft
Set HTTP response headers. These can be logged to assist in debugging…
10da751 
…. This sets 'X-Jethro-User' to the username (for staff) or email (for members). X-Jethro-UID is set to the username, and 'X-Jethro-Session' is set to a subset (for privacy) of the session id
@jefft jefft changed the title Set HTTP response headers. These can be logged to assist in debugging… Set X-Jethro-User header, etc, to identify user operations in webserver logs Jan 23, 2023
@tbar0970
Copy link
Owner

tbar0970 commented Jan 25, 2023
edited

I can see the value of having these details in the webserver log. But it seems a pity to add more weight to every http response going back to the client. Is there no other way to be able to pass stuff to the log? (I note the limitations of apache_note)

Also, it looks like your code for the UUID header is actually using the username for control centre accounts rather than person ID

@tbar0970
Copy link
Owner

If headers are the only way to achieve the logging we want, I'd argue for just one header with personid.

@jefft
Copy link
Contributor Author

jefft commented Jan 25, 2023

Headers seem to be the only way (see e.g. here. In Atlassian apps like Jira, these headers are named X-AUSERNAME and X-ASESSIONID,

These headers aren't sent for /resource/* queries, just *.php, so bandwidth is trivial. If anyone cared they could prevent these headers being sent on to the user with e.g.:

Header always unset "X-Jethro-User"

Why 3 headers: X-Jethro-UID is consistent across member/staff logins, and doesn't leak PII in logs, but I'd guess 90% of users won't care about either of those things, and will prefer X-Jethro-User for readability and log greppability. There's no harm in having both in logs.

X-Jethro-Session allows debugging of painful situations where a user is logged in on multiple devices or browsers. It allows one to identify a stream of requests coming from just one device.

@tbar0970 tbar0970 merged commit 884090b into tbar0970:master Feb 9, 2023
@jefft jefft mentioned this pull request Mar 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jefft @tbar0970