1

When i developed my first asp.net web application, and users receives an exception, i thought that IIS will have a full details about the exception, which was not the case. And i was told that to store any exception info i can use a library name Elmah, which worked for us. But recently i was checking an exception raised by a user after his sign-in to our asp.net mvc, and i found that Elmah stored the username and password inside the xml file as follow:-

-<item name="__RequestVerificationToken">

<value string="X***************************81"/>

</item>


-<item name="UserName">

<value string="******"/>

</item>


-<item name="Password">

<value string="******"/>

</item>


-<item name="domains">

<value string="******"/>

</item>


-<item name="RememberMe">

<value string="true"/>

<value string="false"/>

</item>

</form>

in our case the asp.net mvc-4 provide a login view,to enter username/password which is connected to our active directory using ldap connection string , here is the code for the login (not sure if it can help):-

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        [ValidateInput(false)]
        public ActionResult Login(LoginModel model, string returnUrl)
        {


            MembershipProvider domainProvider;

            domainProvider = Membership.Providers["DomainADMembershipProvider"];
            if (ModelState.IsValid)
            {

                // Validate the user with the membership system.
                if (domainProvider.ValidateUser(model.UserName, model.Password))
                {


                    FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);

                }
                else
                {

                    ModelState.AddModelError("", "The user name or password provided is incorrect.");
                    List<String> domains2 = new List<String>();
                    domains2.Add("*****");

                    ViewBag.Domains = domains2;
                    return View(model);
                }

                return RedirectToLocal(returnUrl);


            }
            List<String> domains = new List<String>();
            domains.Add("***");

            ViewBag.Domains = domains;
            return View(model);
        }

and here is the Elmah components inside our web.config:-

 <sectionGroup name="elmah">
      <section name="security" requirePermission="false" type="Elmah.SecuritySectionHandler, Elmah" />
      <section name="errorLog" requirePermission="false" type="Elmah.ErrorLogSectionHandler, Elmah" />
      <section name="errorMail" requirePermission="false" type="Elmah.ErrorMailSectionHandler, Elmah" />
      <section name="errorFilter" requirePermission="false" type="Elmah.ErrorFilterSectionHandler, Elmah" />
    </sectionGroup>

 <appSettings>
 <add key="elmah.mvc.disableHandler" value="false" />
    <add key="elmah.mvc.disableHandleErrorFilter" value="false" />
    <add key="elmah.mvc.requiresAuthentication" value="false" />
    <add key="elmah.mvc.IgnoreDefaultRoute" value="false" />
    <add key="elmah.mvc.allowedRoles" value="*" />
    <add key="elmah.mvc.allowedUsers" value="*" />
    <add key="elmah.mvc.route" value="elmah" />
    <add key="elmah.mvc.UserAuthCaseSensitive" value="true" />
 </appSettings>


 <httpModules>
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
 </httpModules>

 <modules>
      <add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
      <add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
 </modules>

 <elmah>
    <errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="C:\elmaherrorlogs\" />
 </elmah>

now to be honest Elmah had helped us a lot when users face un-handled exceptions, but if there is not a way to prevent it from exposing users' password then i think i will need to disable it.

can anyone advice if we can prevent Elmah from exposing the users' passwords inside the exception xml file? Thanks

John John
  • 1
  • 72
  • 238
  • 501
  • Possible duplicate of [In ELMAH with MVC 3, How can I hide sensitive form data from the error log?](https://stackoverflow.com/questions/6628389/in-elmah-with-mvc-3-how-can-i-hide-sensitive-form-data-from-the-error-log) – jmoerdyk Sep 09 '19 at 17:28
  • This may be of help too: http://www.codewrecks.com/blog/index.php/2013/10/07/avoid-logging-sensitive-information-with-elmah/ – jmoerdyk Sep 09 '19 at 17:33

1 Answers1

2

Finally found the code we used in one of our MVC4 projects. Place this in your Global.asax.cs file:

// remove Password field from logging
// http://blog.elmah.io/removing-sensitive-form-data-before-logging-to-elmah/
public void ErrorLog_Filtering(object sender, ExceptionFilterEventArgs e) {
    var httpContext = e.Context as HttpContext;
    if (httpContext != null && httpContext.Request.Form.AllKeys.Any(k => k == "Password")) {
        var error = new Error(e.Exception, httpContext);
        error.Form.Set("Password", "******");
        ErrorLog.GetDefault(httpContext).Log(error);
        e.Dismiss();
    }          
}

It appears that the referenced blog at elmah.io has changed, but that code may be useful as well.

jmoerdyk
  • 5,544
  • 7
  • 38
  • 49
  • ok thanks for the reply, will try your code. but will your code work for MVC-4 ? second point, is there a test i can do to check if the password will not be logged? – John John Sep 09 '19 at 18:43
  • 1
    It is from an MVC 4 project. The best way to verify is check the logs, the password value in the logs should be the asterisks. It works by creating a new Error if the form contains a field named "Password", substitutes the value for that field in the new Error, logs the new Error and discards the old one. – jmoerdyk Sep 09 '19 at 18:50
  • Ok so will force an exception inside the code to test it. But inside the elmah xml error i found some parameters such as `HTTP_COOKIE` & `__RequestVerificationToken` & `.ASPXAUTH`, so should i also remove these values from been written to the xml elmah error files (same as the password case)? – John John Sep 09 '19 at 18:55
  • 1
    If you want to stop any other parameters, you're going to have to change the key test logic and the text replacement code. – jmoerdyk Sep 09 '19 at 19:09
  • thanks for your reply. I mean in my case if i enter an invalid ID inside the url, there will be an un-handled exception, and the xml Elmah error will contain a parameter named `AUTH_PASSWORD`.. so i modified your code, to prevent the `AUTH_PASSWORD`, but the generated xml will still contain the `AUTH_PASSWORD`.. so if the code did not work for the `AUTH_PASSWORD` then it will not work for the `PASSWORD`. is this correct? – John John Sep 09 '19 at 19:16
  • 1
    Well, this is only intended to stop any submitted form fields, such as plaintext passwords. You may have to go poking around in the `httpContext.Request` to get at anything else. – jmoerdyk Sep 09 '19 at 20:03
  • yes yes you are correct,, my test will not any any values inside the submitted form.. so one last point i have, what other parameters we need to hide, as when i checked the Elmah xml, i find parameters such as `HTTP_COOKIE` & `__RequestVerificationToken` & `.ASPXAUTH`.. so does those expose private data? – John John Sep 09 '19 at 20:55