forum.coppermine-gallery.net
Support => cpg1.5.x Support => cpg1.5 miscellaneous => Topic started by: Veronica on October 21, 2012, 04:34:53 pm
-
Is there any good reason for not logging the user IP address in the sercurity log when an user login fails?
These IP addresses are missing in both login.php line 65 and logout.php line 25.
All other security log entries (total of 10) will have the user IP logged.
-
You can add the $raw_ip to the log_write functions to add that capability.
Not sure if thats by design or an oversight.
login.php
// Write the log entry
log_write("Failed login attempt with Username: " . $superCage->post->getEscaped('username') . " IP: ". $raw_ip, CPG_SECURITY_LOG);
logout.php
if (!USER_ID) {
if ($CONFIG['log_mode'] == CPG_LOG_ALL) {
log_write("Logout attempt failed because visitor is not logged in. IP: " . $raw_ip, CPG_SECURITY_LOG);
}
cpg_die(ERROR, $lang_logout_php['err_not_logged_in'], __FILE__, __LINE__);
}
Untested
-
Yes ofcourse but I don't want to have fixes all over cpg when there is a new release available.
Having IP addresses logged when there is a login failure has been standard procedure in cpg 1.4 and was removed in cpg 1.5
-
When Αndré comes by again I'm sure he'll comment as to whether or not this is by design or if it just never was committed in 1.5.x
-
I haven't checked the logs nor looked at the cpg1.4.x code yet. So I currently don't know if it was dropped intentionally, but I don't see any reason to omit the IP address for those log entries.
-
Comparison login.php:
cpg1.4.x
log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG);
cpg1.5.x
log_write("Failed login attempt with Username: " . $superCage->post->getEscaped('username'), CPG_SECURITY_LOG);
There was no log entry in cpg1.4.x's logout procedure.