Trace.axd

[cameron]

I have attempted to lock down the trace.axd file with the standard:

<location path="trace.axd">
<system.web>
<authorization>
<allow roles="SOME GROUP"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

in my webconfig file. And it works fine if I go to <my URL>/trace.axd
but one of my colleges mistyped the URL <my URL>/SOME SUB
DIRECTORY/trace.axd and got the trace. We have been playing with it and
every single subdirectory will display the trace.axd. We have tried

<location path="*/trace.axd">
<location path="//trace.axd">
<location path="*.axd">

And a stack of variations there of but it is not happy. Does anyone know
how to lock down the trace.axd, no matter what subdirectory you are in?

Thanks

-Cam

 

[Juan T. Llibre [MVP]]

Use :

<%@ Page Trace="false" %>

or :

<trace enabled="false">

in your web.config.



Juan T. Llibre
===========

 

[cameron]

That will turn the trace on or off, but will not leave it on and
accessable to the developers. By doing the location thing, you can leave
the trace running and retrieve debugging information if a production
site has issues. Doing it per page would require editing source code on
production sites to get debugging info.

-Cam

 

[Juan T. Llibre [MVP]]

There's only two states for "trace".

Either it's *on*, or it's *off*.
If it's *on*, you must deal with its consequences.

If it's off, whether per page or per application,
your problems are over either for the page in question
or for the application in question.

You can't have your cake and eat it, too.

re:

By doing the location thing

You said that didn't work.
I don't think it works as a global restraint.




Juan T. Llibre
===========

 

[Joe Fallon]

If you add this to your Global.asax you can enable trace "on the fly" for
developers
who know the secret password (debug, in this case).
===================================================================

Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
'comment out this code when building a Production release
'It allows you to get a trace on any page while running by adding
"?debug=1" to a URL.
'Can be any value, not just 1.

If Not Request.QueryString("debug") Is Nothing Then
Context.Trace.IsEnabled = True
End If
End Sub
===================================================================

 

[Steven Cheng[MSFT]]

Hi Cam,

Thanks for your posting. Yes, I've also tested and found the problem you
mentioned, and I've also tried set the Context.Trace.IsEnabled in
Application's Certain Events but that didn't work either. I'm afraid
currently we may have to manually define the <location > ...</location>
setting for each sub folder in the application if we do need to completely
prevent the unauthorized user from viewing the application trace, but I
don't think this is a possible means. And I think another option is to
limit the trace to only local users via

<trace localOnly="true" ..>

Please feel free to let me know if you have any further concerns. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)