There's nothing that prevents a server from holding onto the ID and logging it after login if you think you don't want it from before for some reason.
or, if you're really concerned with too much logging from non-signed in sessions, then implement an actual rate limit instead of just never logging them. There is definite utility in having the information earlier. Brandon On Thu, Jul 30, 2020 at 9:31 AM Andrew C Aitchison via mailop < mailop@mailop.org> wrote: > On Thu, 30 Jul 2020, Edgaras Lukoševičius via mailop wrote: > > > I have started digging after your response, and they are sending ID! But > they > > are sending ID before authentication, our IMAP proxy seems to be > dropping ID > > command if user is not authenticated. > > > So that behavior seems legitimate, but in my opinion ID should be sent > after > > authenticating. > > Useful to have that info when users report authentication failures. > > -- > Andrew C. Aitchison Kendal, UK > and...@aitchison.me.uk > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
