I have to log when a user fails to log in to a web application. Unfortunately, this web application is not able to do this out of the box and I can not change it.

Now I'm experimenting with mod_security. My idea is to track the POST request, extract the username and then check if the user gets redirected to the "login failed" page.

I have:

<Location /login.php>
       # Sanitize password variable value
       SecAction nolog,phase:2,sanitiseArg:password

       SecRule REQUEST_BODY "username=(.*)&password" "capture,log,logdata:'login submitted: user %{TX.1}'"


<Location /loginfailed.php>
       # Filter und log redirects to loginfailed
       SecRule RESPONSE_BODY "loginfailed.php" "phase:4,t:none,log,logdata:'login failed: %{TX.1}'"

But of course "TX.1" is already unset when I need it the second time.

Can anyone give me a hint on how to solve this?


  • 11
  • 1

1 Answers1


Unless the web app includes information about the username in the redirect (say, in the query string /loginfiled.php?username=foobar or in a cookie) there will be no way to extract the username from the /loginfailed.php request. The information just isn't there to extract. HTTP is stateless, so when a client sends username=foo in the body of a POST request and this results in a 302 redirect, the follow up request to /loginfailed.php doesn't know anything about the previous request.

If this web app uses a 307 redirect instead of a 302 or a 303, the follow up request to /loginfailed.php will be a POST request with all the same data. I would expect this to be fairly unlikely.

Have a look in the cookies or the session storage and see if the username is there. (I'm not sure if mod_security can read session storage but if you know it's there, I'm sure you can figure something out.)

You might have more luck with a CustomLog to log whether the login attempt succeeded or failed during the original request rather than the follow up request:

LogFormat "%h %t \"%r\" %>s %{Location}o %{PHPSESSID}C %{UNIQUE_ID}e" loginslog
CustomLog "/var/log/apache2/logins.log" loginslog

or you could just add the Location: header and the unique ID to your normal logs with %{Location}o %{UNIQUE_ID}e. mod_security includes the unique ID in all of its logs so you can match on to the other easily.

Creating a coherent log of all usernames that have failed logins is then a matter of grepping all the Location:.*/loginfailed.php lines out of the logins.log and then matching the unique IDs up to the usernames in your existing mod_security-based log.

  • 25,847
  • 7
  • 57
  • 90