No IP in security log when login fails

[Veronica]

Is there any good reason for not logging the user IP address in the sercurity log when an user login fails?

These IP addresses are missing in both login.php line 65 and logout.php line 25.
All other security log entries (total of 10) will have the user IP logged.

[Jeff Bailey]

You can add the $raw_ip to the log_write functions to add that capability.

Not sure if thats by design or an oversight.

login.php

Code Select Expand


// Write the log entry
        log_write("Failed login attempt with Username: " . $superCage->post->getEscaped('username') . " IP: ". $raw_ip, CPG_SECURITY_LOG);


logout.php

Code Select Expand


if (!USER_ID) {
    if ($CONFIG['log_mode'] == CPG_LOG_ALL) {
        log_write("Logout attempt failed because visitor is not logged in. IP: " . $raw_ip, CPG_SECURITY_LOG);
    }
    cpg_die(ERROR, $lang_logout_php['err_not_logged_in'], __FILE__, __LINE__);
}


Untested

[Veronica]

Yes ofcourse but I don't want to have fixes all over cpg when there is a new release available.
Having IP addresses logged when there is a login failure has been standard procedure in cpg 1.4 and was removed in cpg 1.5

[Jeff Bailey]

When Αndré comes by again I'm sure he'll comment as to whether or not this is by design or if it just never was committed in 1.5.x

[Αndré]

I haven't checked the logs nor looked at the cpg1.4.x code yet. So I currently don't know if it was dropped intentionally, but I don't see any reason to omit the IP address for those log entries.

[Αndré]

Comparison login.php:

cpg1.4.x

Code Select Expand

log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG);

cpg1.5.x

Code Select Expand

log_write("Failed login attempt with Username: " . $superCage->post->getEscaped('username'), CPG_SECURITY_LOG);


There was no log entry in cpg1.4.x's logout procedure.