Reputation: 1
Can i prevent Elmah inside my asp.net mvc-4 web aplication from exposing the users' passwords
When i developed my first asp.net web application, and users receives an exception, i thought that IIS will have a full details about the exception, which was not the case. And i was told that to store any exception info i can use a library name Elmah, which worked for us. But recently i was checking an exception raised by a user after his sign-in to our asp.net mvc, and i found that Elmah stored the username and password inside the xml file as follow:-
-<item name="__RequestVerificationToken">
<value string="X***************************81"/>
</item>
-<item name="UserName">
<value string="******"/>
</item>
-<item name="Password">
<value string="******"/>
</item>
-<item name="domains">
<value string="******"/>
</item>
-<item name="RememberMe">
<value string="true"/>
<value string="false"/>
</item>
</form>
in our case the asp.net mvc-4 provide a login view,to enter username/password which is connected to our active directory using ldap connection string , here is the code for the login (not sure if it can help):-
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
[ValidateInput(false)]
public ActionResult Login(LoginModel model, string returnUrl)
{
MembershipProvider domainProvider;
domainProvider = Membership.Providers["DomainADMembershipProvider"];
if (ModelState.IsValid)
{
// Validate the user with the membership system.
if (domainProvider.ValidateUser(model.UserName, model.Password))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
List<String> domains2 = new List<String>();
domains2.Add("*****");
ViewBag.Domains = domains2;
return View(model);
}
return RedirectToLocal(returnUrl);
}
List<String> domains = new List<String>();
domains.Add("***");
ViewBag.Domains = domains;
return View(model);
}
and here is the Elmah components inside our web.config:-
<sectionGroup name="elmah">
<section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah" />
<section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah" />
<section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah" />
<section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah" />
</sectionGroup>
<appSettings>
<add key="elmah.mvc.disableHandler" value="false" />
<add key="elmah.mvc.disableHandleErrorFilter" value="false" />
<add key="elmah.mvc.requiresAuthentication" value="false" />
<add key="elmah.mvc.IgnoreDefaultRoute" value="false" />
<add key="elmah.mvc.allowedRoles" value="*" />
<add key="elmah.mvc.allowedUsers" value="*" />
<add key="elmah.mvc.route" value="elmah" />
<add key="elmah.mvc.UserAuthCaseSensitive" value="true" />
</appSettings>
<httpModules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
</httpModules>
<modules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>
<elmah>
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="C:\elmaherrorlogs\" />
</elmah>
now to be honest Elmah had helped us a lot when users face un-handled exceptions, but if there is not a way to prevent it from exposing users' password then i think i will need to disable it.
can anyone advice if we can prevent Elmah from exposing the users' passwords inside the exception xml file? Thanks
Upvotes: 1
Views: 421
Answers (1)
Reputation: 5516
Finally found the code we used in one of our MVC4 projects. Place this in your Global.asax.cs file:
// remove Password field from logging
// http://blog.elmah.io/removing-sensitive-form-data-before-logging-to-elmah/
public void ErrorLog_Filtering(object sender, ExceptionFilterEventArgs e) {
var httpContext = e.Context as HttpContext;
if (httpContext != null && httpContext.Request.Form.AllKeys.Any(k => k == "Password")) {
var error = new Error(e.Exception, httpContext);
error.Form.Set("Password", "******");
ErrorLog.GetDefault(httpContext).Log(error);
e.Dismiss();
}
}
It appears that the referenced blog at elmah.io has changed, but that code may be useful as well.
Upvotes: 2
Related Questions
- How do I secure Elmah on ASP.Net MVC 4 with Windows Integrated Security : Elmah ignores my settings
- ASP.NET MVC Site With ELMAH.MVC - Windows Authentication
- How to secure Elmah.axd?
- Securing Elmah in ASP.NET website
- Disable ELMAH in configuration
- Custom authentication for Elmah in .net mvc
- Password protect Elmah while web application Anonymously accessible
- How do i restrict access to elmah without using in-built authentication?
- How to secure Elmah in MVC in area
- Secure elmah with ASp.NET security but only to some users