httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [PATCH] mod_log_forensic security considerations
Date Thu, 07 Jun 2012 21:12:35 GMT
On Thu, Jun 7, 2012 at 4:11 PM, Stefan Fritsch <sf@sfritsch.de> wrote:
> On Thursday 07 June 2012, Eric Covener wrote:
>> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick <trawick@gmail.com>
> wrote:
>> > On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
> <joe_schaefer@yahoo.com> wrote:
>> >> Session cookies sometimes pose a security risk as well.
>> >
>> > Yeah.  That could be any cookie though although there are a few
>> > very common defaults :(  My guess is that cookie values are more
>> > useful for debugging crashes than Authorization headers, but
>> > that it should still be opt-in.
>> >
>> > Thoughts, anyone?
>>
>> +1 to separate knob to opt-in to Cookie logging.
>
> I share Williams concern that this makes mod_forensic potentially less
> useful.
>
> Maybe making the forensic log mode 600 by default would be a better
> idea?

A more appropriate mode is fine, but if a crash really occurs and the
log file gets passed around/uploaded to vendor ftp servers/etc. for
debugging the mode won't mean anything.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message