(This may be off-topic, being more of an HTTP question, but I hope you'll
I would like to put the userid into the Apache log (for tracking purposes),
and if I use HTTP Basic Authentication, of course it goes in properly. But
we already manage userids and passwords separately and prompt for them with
WebKit pages, and don't want users to see the browser-generated dialog for
soliciting a userid and password.
Does anyone know an easy way to get a client to start sending the
"Authorization" header without using Basic Authentication?
I've tried setting some headers in the response with setHeader
(WWW-Authenticate and Authorization), but those headers go out to the
client, but don't come back in subsequent requests. I also tried assigning
the resp._headers directly to ensure that the header names don't get
string.lower-ed. That also turned out not to make a difference. I've also
tried adding the 401 Authorization Required header to a response, but that
forces the dialog to appear, which I want to avoid. I saw some information
on the Wiki, but that has to do with collecting the information and passing
it INTO WebKit for authenticatino.
I'm using Webware 0.8, Apache 2.0.x and 1.3.x, and their associated
mod_webkit modules. I'd prefer not to use mod_python, to keep our httpd
processes lean, although in a prior life I used mod_perl and hooked into the
Apache log handler. This was a hassle, though, and mod_perl REALLY can bulk
up an httpd process.
If you're wondering why this is important... We'd like to know when our
users are active via the Apache access_log, and we want to use log analysis
tools (such as Webtrends) to examine user paths through the site, exit
points, etc. If we could just replace the second hyphen in the Apache log
line with the userid (example shown below, userid is oncall)
fwl03anp.xax.net - oncall [08/Jun/2003:20:00:15 +0000]...
I'll be grateful for any insight, pointers to other resources, ideas,
David Hancock | dhancock@... | 410-266-4384