Securing ELMAH

“install-package elmah” is the easiest way to get started with elmah. One of the important and easily forgotten considerations is to secure it. Recently I came across a situation where I had to secure elmah on a web application running in VB.net and using 4.0 framework and ofcourse custom forms authentication 😀

If anyone is interested in the debate of why secure elmah give it a read

http://www.troyhunt.com/2012/01/aspnet-session-hijacking-with-google.html

One of the easiest and simplest way to secure elmah is to use roles and users in web.config. But besides there is also one interesting solution by Phil Haack

http://haacked.com/archive/2007/07/24/securely-implement-elmah-for-plug-and-play-error-logging.aspx/

However, if you are in a situation where you do not want to have an elmah.axd running on all locations and just want to see elmah exceptions under an admin application then give the following a read

http://lowleveldesign.wordpress.com/2013/03/24/elmah-axd-log-viewer-for-multiple-apps/

But hey the problem is still how to secure it. How to restrict access and redirect to some login page already in the application if someone tries to access elmah.axd at an unknown location known to you.

The answer is that you need to create a module in your application and pass this custom handler to another handler implementing SessionState.

Now you can make use of the global.asax and check for the usual session variables under an event like Application_PreRequestHandlerExecute and make sure that only authenticated user accesses the elmah.axd

Hope this helps!

Securing_Elmah_SourceCode

Advertisements

One thought on “Securing ELMAH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s