0

we are using a system to allow users to change their passwords via (preauthenticated) requests like https://ourserver.com/change_password?user=USERNAME&new_pass=PASSWORD.

For convenience we would like to log the first part of the query (a user tried to change their password), but for security reasons not the password itself.

I have stumbled upon 'SetEnvIf RequestUri "^change_password"', but I only figured out, how to completely remove the entry in the access.log. Any hints of how to achieve the goal described above are very appreciated.

Thanks, Martin

Edit: I stumbled upon Custom Log Formats %q as well, but there I can only remove both the parameters - which leads to the same (possible) inconvenience as removing the log entry alltogether.

jesterchen
  • 41
  • 4
  • You should be using POST requests instead of GET requests; Apache won't log the POST parameters. Use your own log if you want to log the usernames. – Martin von Wittich Sep 30 '14 at 08:19
  • Thanks. I tried to convince the others in the team. They did not listen. But I think I can convince them to create an additional own logging facility in our project, so my first solutiuon is enough again. – jesterchen Sep 30 '14 at 08:21

0 Answers0