Looks like it can log the following variants of Session cookie encryptor error: <message>
wrong version
Message is invalid
invalid message
HMAC is invalid
I'm not sure they're useful to always have enabled (in production) as any user can trigger at least Session cookie encryptor error: Message is invalid by sending bogus data in the Cookie header.
Does it makes sense to be able to silence this logging or make it opt-in?
https://github.com/rack/rack-session/blob/d2f080c243cac167fc5176c5cf869e23fe7f6ec6/lib/rack/session/cookie.rb#L223-L224
Maybe behind
$VERBOSE
as done here?https://github.com/rack/rack-session/blob/d2f080c243cac167fc5176c5cf869e23fe7f6ec6/lib/rack/session/abstract/id.rb#L397
Looks like it can log the following variants of
Session cookie encryptor error: <message>
wrong version
Message is invalid
invalid message
HMAC is invalid
I'm not sure they're useful to always have enabled (in production) as any user can trigger at least
Session cookie encryptor error: Message is invalid
by sending bogus data in theCookie
header.