Kent
Active member
If a user is registering or logging in and a server error occurs during the request, the full state of the request gets sent to the error log, including the user's password. I believe this information should censored in the log to protect user privacy and confidence in security.
Censoring the password could pose a problem if somehow the password is related to the server error, so perhaps an override (such as debug mode) should allow the log to be untouched.
I noticed this because Gravatar timed out when a user was registering.
Censoring the password could pose a problem if somehow the password is related to the server error, so perhaps an override (such as debug mode) should allow the log to be untouched.
I noticed this because Gravatar timed out when a user was registering.
Upvote
0