Make logging of some values configurable (eg don't log the ASPXAUTH cookies to avoid session hijacking)

Question

Make logging of some values configurable (eg don't log the ASPXAUTH cookies to avoid session hijacking)

Opened this issue 6 years ago · 0 comments

Has anyone ever actioned making some variables configurable - as per this comment in Troy Hunt's excellent article on the subject of session hijacking Elmah?

Even if I restrict access to elmah logs to single person, that person should not be able to impersonate users. While better than opening your fly to the whole world, it is still not acceptable by any serious standards. The real solution would be to have Elmah NOT store the values of auth/roles cookies BY DEFAULT and make that list configurable