Hi there
I have to log when a user fails to log in to a web application. No, this web application is not able to do this out of the box and I can not change it.
Now I'm experimenting with mod_security. My idea is to track the POST request, extract the username and then check if the user gets redirected to the "login failed" page.
I have:
Code:
<Location /login.php>
# Sanitize password variable value
SecAction nolog,phase:2,sanitiseArg:password
SecRule REQUEST_BODY "username=(.*)&password" "capture,log,logdata:'login submitted: user %{TX.1}'"
</Location>
and
Code:
<Location /loginfailed.php>
# Filter und log redirects to loginfailed
SecRule RESPONSE_BODY "loginfailed.php" "phase:4,t:none,log,logdata:'login failed: %{TX.1}'"
</Location>
But of course "TX.1" is already unset when I need it the second time.
Can anyone give me a hint on how to solve this?
Thanks, mr51m0n