Hi, I agree that we should treat session cookies as sensitive and hide them like we do with passwords. That said, please be aware that all the SafeException reporters are best effort and it is generally not possible to have a "safe" exception.
In that sense, patches welcome but we are not going to treat this as security issue (ie no backporting). Cheers, Florian On Monday, January 17, 2022 at 10:09:07 PM UTC+1 Tobias Bengfort wrote: > Hi, > > AFAIU, SafeExceptionReporterFilter takes care of removing any sensitive > data from logs. However, I today realized that this does not cover > session cookies. > > In a ticket about this issue[1] it was treated not as a security issue > but more as a request for customization. That puzzled me a bit. Why are > session cookies not treated as sensitive, just like passwords are? > > thanks, > tobias > > > [1]: https://code.djangoproject.com/ticket/29714 > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/a2b299d1-6700-487d-ae45-37c6612e33ffn%40googlegroups.com.
