On Thu, Jun 7, 2012 at 4:11 PM, Stefan Fritsch <[email protected]> wrote: > On Thursday 07 June 2012, Eric Covener wrote: >> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick <[email protected]> > wrote: >> > On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer > <[email protected]> wrote: >> >> Session cookies sometimes pose a security risk as well. >> > >> > Yeah. That could be any cookie though although there are a few >> > very common defaults :( My guess is that cookie values are more >> > useful for debugging crashes than Authorization headers, but >> > that it should still be opt-in. >> > >> > Thoughts, anyone? >> >> +1 to separate knob to opt-in to Cookie logging. > > I share Williams concern that this makes mod_forensic potentially less > useful. > > Maybe making the forensic log mode 600 by default would be a better > idea?
A more appropriate mode is fine, but if a crash really occurs and the log file gets passed around/uploaded to vendor ftp servers/etc. for debugging the mode won't mean anything. -- Born in Roswell... married an alien... http://emptyhammock.com/
