Project

General

Profile

Actions

Bug #93693

closed

AuthenticationService Loging

Added by Viktor Quiring over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Logging
Target version:
-
Start date:
2021-03-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Logging messages from the TYPO3 Core Authentication classes are not always printing out the IP address. Instead, the messages printing out the placeholder ###IP###.

Steps to reproduce:
Add the following script to AdditionalCofiguration.php :

$GLOBALS['TYPO3_CONF_VARS']['LOG']['TYPO3']['CMS']['Core']['Authentication']['writerConfiguration'] = [
    \TYPO3\CMS\Core\Log\LogLevel::INFO => [
        \TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
            'logFile' => \TYPO3\CMS\Core\Core\Environment::getVarPath() . '/log/typo3_auth.log',
        ]
    ]
]; 

The messages that are written to the log file are not always provided with an IP address.
For example usernames that are available, but the password does not match, the following message is written in the log:
[INFO] request = "22b7434b00a76" component = "TYPO3.CMS.Core.Authentication.AuthenticationService": Login attempt from ###IP###, username 'xxxxxxx' , password not accepted! 

The placeholder ###IP### is printed in the message, but not the IP address itself.
Many other messages are also only printed with the placeholder ###IP### instead of the IP address.


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #93943: AuthenticationService LogingClosedMarkus Klein2021-04-19

Actions
Actions #1

Updated by Markus Klein over 3 years ago

This is actually on purpose.
The same log message is written to the sys_log table where the IP is a dedicated DB field.
This is done to have the possibility to perform GDPR related operations on the IPs.

Actions #2

Updated by Torben Hansen over 3 years ago

Not being able to log the IP address of failed logins to dedicated logfiles makes it impossible to e.g. use fail2ban to block such requests efficiently. Since the mentioned logging would only be created on purpose when the site admin configures it, I see the responsability on the admins side to take care of GDPR requirements.

Actions #3

Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68304

Actions #4

Updated by Gerrit Code Review over 3 years ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68320

Actions #5

Updated by Markus Klein over 3 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #6

Updated by Markus Klein about 3 years ago

  • Related to Bug #93943: AuthenticationService Loging added
Actions #7

Updated by Gerrit Code Review about 3 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68801

Actions #8

Updated by Gerrit Code Review about 3 years ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68801

Actions #9

Updated by Markus Klein about 3 years ago

  • Status changed from Under Review to Resolved
Actions #10

Updated by Benni Mack about 3 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF