Joe Orton wrote:
I presume this fixes #31418? Your patch makes sense to me. I could argue that it could even be done *before* the SSLRequire checking, such that the "username" is logged appropriately even if an SSLRequire triggers a 403, but I doubt that matters much.
fwiw that's the route that the auth providers took when we last looked at this - make it possible to log the user, with the understanding that the user might not have passed the auth process so may be completely bogus.
As Joe pointed out in a separate reply this is now done after the renegotiation, so it's a sensible place to do it and avoids one possible gotcha.
david
