Does it makes sense to be able to silence this logging or make it opt-in?
|
rescue Rack::Session::Encryptor::Error => error |
|
request.env[Rack::RACK_ERRORS].puts "Session cookie encryptor error: #{error.message}" |
Maybe behind $VERBOSE as done here?
|
req.get_header(RACK_ERRORS).puts("Deferring cookie for #{session_id}") if $VERBOSE |
Looks like it can log the following variants of Session cookie encryptor error: <message>
wrong versionMessage is invalidinvalid messageHMAC is invalid
I'm not sure they're useful to always have enabled (in production) as any user can trigger at least Session cookie encryptor error: Message is invalid by sending bogus data in the Cookie header.
Does it makes sense to be able to silence this logging or make it opt-in?
rack-session/lib/rack/session/cookie.rb
Lines 223 to 224 in d2f080c
Maybe behind
$VERBOSEas done here?rack-session/lib/rack/session/abstract/id.rb
Line 397 in d2f080c
Looks like it can log the following variants of
Session cookie encryptor error: <message>wrong versionMessage is invalidinvalid messageHMAC is invalidI'm not sure they're useful to always have enabled (in production) as any user can trigger at least
Session cookie encryptor error: Message is invalidby sending bogus data in theCookieheader.