Bug #93693

AuthenticationService Loging

Added by Viktor Quiring 9 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Logging
Target version:
-
Start date:
2021-03-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Logging messages from the TYPO3 Core Authentication classes are not always printing out the IP address. Instead, the messages printing out the placeholder ###IP###.

Steps to reproduce:
Add the following script to AdditionalCofiguration.php :

$GLOBALS['TYPO3_CONF_VARS']['LOG']['TYPO3']['CMS']['Core']['Authentication']['writerConfiguration'] = [
    \TYPO3\CMS\Core\Log\LogLevel::INFO => [
        \TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
            'logFile' => \TYPO3\CMS\Core\Core\Environment::getVarPath() . '/log/typo3_auth.log',
        ]
    ]
]; 

The messages that are written to the log file are not always provided with an IP address.
For example usernames that are available, but the password does not match, the following message is written in the log:
[INFO] request = "22b7434b00a76" component = "TYPO3.CMS.Core.Authentication.AuthenticationService": Login attempt from ###IP###, username 'xxxxxxx' , password not accepted! 

The placeholder ###IP### is printed in the message, but not the IP address itself.
Many other messages are also only printed with the placeholder ###IP### instead of the IP address.


Related issues

Related to TYPO3 Core - Bug #93943: AuthenticationService LogingClosedMarkus Klein2021-04-19

Actions
#1

Updated by Markus Klein 9 months ago

This is actually on purpose.
The same log message is written to the sys_log table where the IP is a dedicated DB field.
This is done to have the possibility to perform GDPR related operations on the IPs.

#2

Updated by Torben Hansen 9 months ago

Not being able to log the IP address of failed logins to dedicated logfiles makes it impossible to e.g. use fail2ban to block such requests efficiently. Since the mentioned logging would only be created on purpose when the site admin configures it, I see the responsability on the admins side to take care of GDPR requirements.

#3

Updated by Gerrit Code Review 9 months ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68304

#4

Updated by Gerrit Code Review 9 months ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68320

#5

Updated by Markus Klein 9 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#6

Updated by Markus Klein 7 months ago

  • Related to Bug #93943: AuthenticationService Loging added
#7

Updated by Gerrit Code Review 7 months ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68801

#8

Updated by Gerrit Code Review 7 months ago

Patch set 2 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/68801

#9

Updated by Markus Klein 7 months ago

  • Status changed from Under Review to Resolved
#10

Updated by Benni Mack 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF