Looks like it can log the following variants of Session cookie encryptor error: <message>
wrong version
Message is invalid
invalid message
HMAC is invalid
I'm not sure they're useful to always have enabled (in production) as any user can trigger at least Session cookie encryptor error: Message is invalid by sending bogus data in the Cookie header.
Does it makes sense to be able to silence this logging or make it opt-in?
https://github.com/rack/rack-session/blob/d2f080c243cac167fc5176c5cf869e23fe7f6ec6/lib/rack/session/cookie.rb#L223-L224
Maybe behind
$VERBOSEas done here?https://github.com/rack/rack-session/blob/d2f080c243cac167fc5176c5cf869e23fe7f6ec6/lib/rack/session/abstract/id.rb#L397
Looks like it can log the following variants of
Session cookie encryptor error: <message>wrong versionMessage is invalidinvalid messageHMAC is invalidI'm not sure they're useful to always have enabled (in production) as any user can trigger at least
Session cookie encryptor error: Message is invalidby sending bogus data in theCookieheader.