httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Thu, 07 Jun 2012 20:11:13 GMT
On Thursday 07 June 2012, Eric Covener wrote:
> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick <trawick@gmail.com> 
wrote:
> > On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer 
<joe_schaefer@yahoo.com> wrote:
> >> Session cookies sometimes pose a security risk as well.
> > 
> > Yeah.  That could be any cookie though although there are a few
> > very common defaults :(  My guess is that cookie values are more
> > useful for debugging crashes than Authorization headers, but
> > that it should still be opt-in.
> > 
> > Thoughts, anyone?
> 
> +1 to separate knob to opt-in to Cookie logging.

I share Williams concern that this makes mod_forensic potentially less 
useful.

Maybe making the forensic log mode 600 by default would be a better 
idea?

Mime
View raw message