> -----Original Message----- > From: Daniel Ruggeri > Sent: Freitag, 8. Juni 2012 00:16 > To: [email protected] > Subject: Re: [PATCH] mod_log_forensic security considerations > > On 6/7/2012 3:11 PM, Stefan Fritsch wrote: > > On Thursday 07 June 2012, Eric Covener wrote: > >> On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick > > wrote: > >>> On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer > > <[email protected]> wrote: > >>>> Session cookies sometimes pose a security risk as well. > >>> Yeah. That could be any cookie though although there are a few > >>> very common defaults :( My guess is that cookie values are more > >>> useful for debugging crashes than Authorization headers, but > >>> that it should still be opt-in. > >>> > >>> Thoughts, anyone? > >> +1 to separate knob to opt-in to Cookie logging. > > I share Williams concern that this makes mod_forensic potentially > less > > useful. > > > > Maybe making the forensic log mode 600 by default would be a better > > idea? > > Agreed as well. This module isn't enabled by default and is most likely > to be enabled by a user that knows what they are trying to accomplish. > To me, a clear and concise security warning in the documentation should > be all that is needed. > > IMO, having unadulterated logging capability is what makes > mod_dumpio/mod_log_forensic some of the most useful modules for > troubleshooting in a proxy/crashing scenario (respectively).
+1 Regards Rüdiger
