S
Steve Seier
We have an asp.net 2.x application that's been operational for several years.
This app is forms-based so we handle user authentication in the app.
Recently looking at the server event log I see several error/events that
point to ASP.NET when there is a failure, such as a user entered the wrong
password, which we handle, and other errors coming from the application.
However, when there is an error written to the event log all the gory
information about the event and user's credentials is written to the log file
(event) as well including the PASSWORD in clear text!
Password in CLEAR text! What! Why is Microsoft doing / allowing this? This
is a breach of security in that any administrator or user that can look at
the events can find this sensitive data.
Is there any way to turn this option off or change the behavior of .NET to
not write such data to the event logs?
I'm totally baffled by this! In this age of security sensitive data like
user ID and passwords are written to a common log file for all to see.
This app is forms-based so we handle user authentication in the app.
Recently looking at the server event log I see several error/events that
point to ASP.NET when there is a failure, such as a user entered the wrong
password, which we handle, and other errors coming from the application.
However, when there is an error written to the event log all the gory
information about the event and user's credentials is written to the log file
(event) as well including the PASSWORD in clear text!
Password in CLEAR text! What! Why is Microsoft doing / allowing this? This
is a breach of security in that any administrator or user that can look at
the events can find this sensitive data.
Is there any way to turn this option off or change the behavior of .NET to
not write such data to the event logs?
I'm totally baffled by this! In this age of security sensitive data like
user ID and passwords are written to a common log file for all to see.