On 6/7/2012 3:11 PM, Stefan Fritsch wrote: > On Thursday 07 June 2012, Eric Covener wrote: >> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick <[email protected]> > wrote: >>> On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer > <[email protected]> wrote: >>>> Session cookies sometimes pose a security risk as well. >>> Yeah. That could be any cookie though although there are a few >>> very common defaults :( My guess is that cookie values are more >>> useful for debugging crashes than Authorization headers, but >>> that it should still be opt-in. >>> >>> Thoughts, anyone? >> +1 to separate knob to opt-in to Cookie logging. > I share Williams concern that this makes mod_forensic potentially less > useful. > > Maybe making the forensic log mode 600 by default would be a better > idea?
Agreed as well. This module isn't enabled by default and is most likely to be enabled by a user that knows what they are trying to accomplish. To me, a clear and concise security warning in the documentation should be all that is needed. IMO, having unadulterated logging capability is what makes mod_dumpio/mod_log_forensic some of the most useful modules for troubleshooting in a proxy/crashing scenario (respectively). -- Daniel Ruggeri
