On Thursday 07 June 2012, Eric Covener wrote: > On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick <traw...@gmail.com> wrote: > > On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer <joe_schae...@yahoo.com> wrote: > >> Session cookies sometimes pose a security risk as well. > > > > Yeah. That could be any cookie though although there are a few > > very common defaults :( My guess is that cookie values are more > > useful for debugging crashes than Authorization headers, but > > that it should still be opt-in. > > > > Thoughts, anyone? > > +1 to separate knob to opt-in to Cookie logging.
I share Williams concern that this makes mod_forensic potentially less useful. Maybe making the forensic log mode 600 by default would be a better idea?