Closed GoogleCodeExporter closed 9 years ago
Original comment by azizatif
on 28 Oct 2009 at 7:26
Original comment by azizatif
on 28 Oct 2009 at 7:27
What is the status of this issue? We are very interested in this, and were
going to
submit it too, but found this issue. Is this going to be included in a release
soon?
Russ Clark,
Sandia National Laboratories,
Albuquerque, NM
Original comment by rdcl...@sandia.gov
on 4 Dec 2009 at 5:35
It should be configurable i.m.o., but I've managed to exclude it without
modifying the source:
http://tech.kipusoep.nl/2012/01/06/umbraco-elmah-with-sql-ce-4-0-and-authenticat
ion-part-2/
Original comment by ralph.eg...@gmail.com
on 6 Jan 2012 at 10:29
Please elevate this much needed feature to high priority and implement it in
the next Service Pack.
We are all eagerly waiting for it since 2009 when it was first logged.
Original comment by ykhab...@gmail.com
on 5 Feb 2012 at 8:02
Highly needed feature. Having the user password as part of the error log
prevents us from using ELMAH in production environment. Please implement.
Original comment by epignos...@gmail.com
on 6 Feb 2012 at 2:00
[deleted comment]
[deleted comment]
I think it is a good idea, add this feature
Original comment by jema...@miamigov.com
on 6 Feb 2012 at 3:08
We would be a great feature. Please add it as soon as possible.
Original comment by ijgarci...@gmail.com
on 6 Feb 2012 at 3:12
[deleted comment]
As a QA tester for web-application development, we are continually forwarding
ELMAHs(emails) encoutered to development and QA team. Having my password
concealed is a basic requirement for security(on a daily basis). Please
implement this feature a.s.a.p in upcoming Service-Pack 2.
Original comment by webnetst...@gmail.com
on 6 Feb 2012 at 3:16
Please add this feature, it is much needed. Passing the user information in an
error message is a security issue.
Original comment by mannyot...@gmail.com
on 6 Feb 2012 at 3:16
This missing feature is preventing us from using ELMAH for our Web based
applications. It should be part of the ELMAH’s core configuration
functionality. Having ELMAH’s 1.2 SP2 just for this single feature is a must.
Original comment by miria...@gmail.com
on 6 Feb 2012 at 3:45
I am concerned about the password is included in the body of the Elmah message
from the first day I started receiving them as result of my QA activities
(2010). The priority of this request should be updated to HIGH.
Original comment by cvc...@yahoo.com
on 6 Feb 2012 at 3:47
In my opinion, it doesn't take too much effort to add this feature and the
benefit would be great. Please consider it as soon as possible.
Original comment by pcary2...@yahoo.com
on 6 Feb 2012 at 4:22
We would like to implement this feature in our production environment but
creating our own fork of the source is an undesirable option. Sending/logging
the user password anywhere is a major security concern in most organizations.
Original comment by AnthonyV...@gmail.com
on 6 Feb 2012 at 4:32
Hi there!
It's good to see so many people interested in this issue!
A few questions:
1) Are there any use cases for including AUTH_PASSWORD at all?
2) Should AUTH_PASSWORD be excluded by default?
i.e. <security /> <!-- no omitServerVariables -->
will automatically exclude AUTH_PASSWORD
3) If it is excluded by default how do you add it back in again?
Perhaps <security omitServerVariables="" /> gets it back.
4) Should the NuGet package be the one that does the exclusion?
Cheers,
James
Original comment by jamesdriscoll71
on 6 Feb 2012 at 4:58
In my opinion I believe AUTH_PASSWORD should be omitted by default. It seems to
me that this is a feature that would be sought out for a particular purpose and
not needed 99% of the time. The consequences of leaving this setting on without
realizing can be disastrous.
Original comment by AnthonyV...@gmail.com
on 6 Feb 2012 at 6:19
Hi James,
Thanks for the ideas on how to implement handling of the AUTH_PASSWORD server
variable (and any other server variable)
1) Are there any use cases for including AUTH_PASSWORD at all?
Yes.
2) Should AUTH_PASSWORD be excluded by default?
i.e. <security /> <!-- no omitServerVariables -->
will automatically exclude AUTH_PASSWORD
It could be included by default.
3) If it is excluded by default how do you add it back in again?
Perhaps <security omitServerVariables="" /> gets it back.
If included by default, so by using comma separated list of values
omitServerVariables="AUTH_PASSWORD,..." will disable it.
4) Should the NuGet package be the one that does the exclusion?
Nice to have, but not mandatory.
Original comment by ykhab...@gmail.com
on 6 Feb 2012 at 6:23
Hi James,
Thanks for the quick answer. This is my opinion about your questions:
1- Are there any use cases for including AUTH_PASSWORD at all?
I can't think of a use case where it would be needed. But since it has always
been part of ELMAH, some developers might rely on it for something. I would
keep it for backward compatibility and for full coverage.
2- Should AUTH_PASSWORD be excluded by default?
i.e. <security /> <!-- no omitServerVariables -->
will automatically exclude AUTH_PASSWORD?
I think that excluding by default will be confusing. I would prefer to
explicitly specify it using the idea of omitServerVariables.
3- If it is excluded by default how do you add it back in again?
Again, I don't think excluding by default is a good idea. It's not consistent
with the way other server variables will be handled.
4- Should the NuGet package be the one that does the exclusion?
Yes. I think we should make it a best practice not to include user passwords.
Also, developers using the nuget package get the idea of how they can omit
other server variables.
Original comment by epignos...@gmail.com
on 6 Feb 2012 at 6:38
Original issue reported on code.google.com by
mhenr...@gmail.com
on 28 Oct 2009 at 2:32