[geeklog-devtalk] geeklog-devel digest, Vol 1 #255 - 5 msgs

geeklog-devel-request at lists.geeklog.net geeklog-devel-request at lists.geeklog.net
Sat Jan 17 13:00:09 EST 2004

Previous message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #254 - 1 msg
Next message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #256 - 1 msg
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Send geeklog-devel mailing list submissions to
geeklog-devel at lists.geeklog.net

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.geeklog.net/listinfo/geeklog-devel
or, via email, send a message with subject or body 'help' to
geeklog-devel-request at lists.geeklog.net

You can reach the person managing the list at
geeklog-devel-admin at lists.geeklog.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of geeklog-devel digest..."

Today's Topics:

1. Re: Search Engine Friendly URLs for Stories (Vincent Furia)
2. access.log (Dirk Haun)
3. Re: access.log (Vincent Furia)
4. Re: access.log (Dirk Haun)
5. Re: access.log (Blaine Lang)

--__--__--

Message: 1
Date: Fri, 16 Jan 2004 13:37:54 -0500
From: Vincent Furia <vmf at abtech.org>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] Search Engine Friendly URLs for Stories
Reply-To: geeklog-devel at lists.geeklog.net

Dirk Haun wrote:

>Vincent Furia wrote:

>

>

>

>>I wrote this against the current CVS version of geeklog-1.3. I've

>>tested it pretty well on linux.

>>

>>

>

>Thanks, Vinny. I seem to remember that Tom Willet and yourself where

>doing tests like that on gplugs.sf.net. So you have evidence that these

>URLs are more likely to be picked up by Google et al.?

>

>

>

>

The changed URLs seemed to improve the ability of search engines to pick
up the story URLs. Also Tom's story index page seemed to help a little
bit as well. The two items combined saw the best (observed) results.
Due to the nature of search engines though, a truly scientific test is
beyond the means of the resources I have available. Sum Up: I think it
works.

Another thing that would help is have links (somehow) from stories that
don't have comments or story bodies. Currently those stories don't
(can't) link to the article page so getting a search spider to fix that
is difficult. Tom's fix (mentioned above) alleviates this somewhat.

>>I doubt it will work under Windows with

>>IIS since it uses the same methodology as Staticpages.

>>

>>

>

>I wonder if that problem still exists - the last time someone looked into

>this was almost a year ago. Does anyone have access to a current version

>of IIS + PHP to test it out?

>

>

>

Beats me, I've never run IIS. Any takers to solve this? We need to
know if the $PATH_INFO environmental variable gets filled in correctly.

Thanks,
Vinny

--__--__--

Message: 2
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Date: Sat, 17 Jan 2004 00:08:52 +0100
Organization: Terra Software Systems
Subject: [geeklog-devel] access.log
Reply-To: geeklog-devel at lists.geeklog.net

I'd like to propose that we re-think the use of the access.log file.
Currently, it is pretty much useless (open yours and see for yourself),
as all it lists are session ids and date stamps about someone logging
out. Since the session id has been gone from the gl_sessions table by
then, this information doesn't really help with anything.

Now, I don't want us to log when people are logging in and out, as there
is no reason to collect that information (and especially not in a file).
Geeklog currently stores the last time someone logged in, for the
legitimate reason of trying to keep track if an account is (still) in use.

(On a side note, I'd like to see some "housekeeping" tools being
developed as addon-ons making use of that information, e.g. to weed out
unused accounts after some time.)

Back to access.log: When trying to access one of the admin pages without
being an admin, you are told that this attempt had been logged. However,
in almost all cases, it hasn't - I've only recently added this to CVS,
after someone pointed it out in the forums.

Since the error.log tends to be clogged with lots of messages, it would
be hard to find any access violations in all that noise. So I'd suggest
we use the access.log for that instead.

To save on code, COM_accessLog could be extended to automatically log the
IP, user id (and name?) of the user that caused the violation in addtion
to the time stamp it's already adding automatically.

So what should be logged?

- Any attempts at accessing the admin pages without proper authentication
(just what we already claim we're logging)
- Attempts at doing something the user doesn't have proper permissions
to, e.g.
trying to access a story without the proper permissions, or an
admin doing something they are not allowed to do (e.g. a Group Admin
trying to edit the Root group).
- Failed login attempts, to see if someone is trying to hack accounts
- anything else?

What I want to avoid, though, is to collect too much (detailed)
information or to give users the impression that they are being spied on.

Comments?

bye, Dirk

--
http://www.haun-online.de/
http://www.haun.info/

--__--__--

Message: 3
Date: Sat, 17 Jan 2004 00:26:37 -0500
From: Vincent Furia <vmf at abtech.org>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] access.log
Reply-To: geeklog-devel at lists.geeklog.net

Dirk Haun wrote:

>I'd like to propose that we re-think the use of the access.log file.

>Currently, it is pretty much useless (open yours and see for yourself),

>as all it lists are session ids and date stamps about someone logging

>out. Since the session id has been gone from the gl_sessions table by

>then, this information doesn't really help with anything.

>

>

>

I agree, let's get rid of that logging. I always wondered why the
session ids were logged on log out.

>Now, I don't want us to log when people are logging in and out, as there

>is no reason to collect that information (and especially not in a file).

>Geeklog currently stores the last time someone logged in, for the

>legitimate reason of trying to keep track if an account is (still) in use.

>

>(On a side note, I'd like to see some "housekeeping" tools being

>developed as addon-ons making use of that information, e.g. to weed out

>unused accounts after some time.)

>

>Back to access.log: When trying to access one of the admin pages without

>being an admin, you are told that this attempt had been logged. However,

>in almost all cases, it hasn't - I've only recently added this to CVS,

>after someone pointed it out in the forums.

>

>Since the error.log tends to be clogged with lots of messages, it would

>be hard to find any access violations in all that noise. So I'd suggest

>we use the access.log for that instead.

>

>

>

This makes sense. In fact, someone not familar with Geeklog would
probably look in access.log for access violations first in any case.

>To save on code, COM_accessLog could be extended to automatically log the

>IP, user id (and name?) of the user that caused the violation in addtion

>to the time stamp it's already adding automatically.

>

>So what should be logged?

>

>- Any attempts at accessing the admin pages without proper authentication

> (just what we already claim we're logging)

>- Attempts at doing something the user doesn't have proper permissions

>to, e.g.

> trying to access a story without the proper permissions, or an

> admin doing something they are not allowed to do (e.g. a Group Admin

> trying to edit the Root group).

>- Failed login attempts, to see if someone is trying to hack accounts

>

>

Another tangent: In the future, if we kept track of how many failed
login attempts since last succesfull login, we could do some pretty cool
stuff (like lock and possibly send email to the affected person and
admin that a login has failed three times on an account).

>- anything else?

>

>What I want to avoid, though, is to collect too much (detailed)

>information or to give users the impression that they are being spied on.

>

>Comments?

>

>

>

Sounds good to me Dirk.

>bye, Dirk

>

>

>

>

bye... Vinny

--__--__--

Message: 4
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] access.log
Date: Sat, 17 Jan 2004 14:14:07 +0100
Organization: Terra Software Systems
Reply-To: geeklog-devel at lists.geeklog.net

Vincent wrote:

>Another tangent: In the future, if we kept track of how many failed

>login attempts since last succesfull login, we could do some pretty cool

>stuff (like lock and possibly send email to the affected person and

>admin that a login has failed three times on an account).

Good point. Actually, we probably shouldn't start logging failed login
attempts until they've exceeded a certain number (say, 3) - everyone
mistypes their password once in a while ...

Blocking an account after a certain amount of failed login attempts just
calls for misuse, but sending an email (to the user at least) sounds like
a good idea.

bye, Dirk

--
http://www.haun-online.de/
http://mypod.de/

--__--__--

Message: 5
From: "Blaine Lang" <geeklog at langfamily.ca>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] access.log
Date: Sat, 17 Jan 2004 11:37:09 -0500
Reply-To: geeklog-devel at lists.geeklog.net

I think these are good ideas. As developers we often use COM_errorLOG for
debugging output and I think that is become a problem and often leaves
spurious non-error related outout in that log which can only confuse a user.

I've introduced a notification.log file with glMessenger and maybe we should
have a debug.log file.
The logic would check for the existance of the file and if not there
doNothing() else logEntry().

In my case, I also wrote a small block that I only see so I can tail the
notification log and watch my site activity. During debugging, having a
Centerblock doing a tail on the debug.log file may be handy.

If I knew there was a standard COM_debugLog(), then I'd convert any of my
code to use that.

----- Original Message -----
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Sent: Saturday, January 17, 2004 8:14 AM
Subject: Re: [geeklog-devel] access.log

> Vincent wrote:

>

> >Another tangent: In the future, if we kept track of how many failed

> >login attempts since last succesfull login, we could do some pretty cool

> >stuff (like lock and possibly send email to the affected person and

> >admin that a login has failed three times on an account).

>

> Good point. Actually, we probably shouldn't start logging failed login

> attempts until they've exceeded a certain number (say, 3) - everyone

> mistypes their password once in a while ...

>

> Blocking an account after a certain amount of failed login attempts just

> calls for misuse, but sending an email (to the user at least) sounds like

> a good idea.

>

> bye, Dirk

>

>

> --

> http://www.haun-online.de/

> http://mypod.de/

>

> _______________________________________________

> geeklog-devel mailing list

> geeklog-devel at lists.geeklog.net

> http://lists.geeklog.net/listinfo/geeklog-devel

--__--__--

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devel

End of geeklog-devel Digest

Previous message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #254 - 1 msg
Next message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #256 - 1 msg
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the geeklog-devtalk mailing list