Custom User Data Serialization Question
Galarun
Posted on
Jul 09 2014
Is there any way to override or manipulate how the custom user data gets serialized into JSON? We'd like to pass our user session data object along with the error information, however it contains a couple properties that has sensitive data. I'd like to omit the properties from being serialized either by specifying the names of the properties or using another JSON serializer. I'd imagine it would be similar to how you could omit specific form fields from being sent with the error (e.g. don't serialize fields "CardNumber" and "Password".
Worst-case scenario would be to create new classes that do not have these sensitive fields and manually populate them when an exception occurs, however this is very inflexible so I'd like to know if there was something I'm missing.
Jason Fauchelle
Raygun
Posted on
Jul 15 2014
Hello Galarun
Thanks for this suggestion. Unfortunately there currently isn't a way to specify properties to ignore, or to switch out a different JSON serializer. I have put this on our backlog, but don't have a time frame of when we can complete this. For now you'd need to create new classes (or object instances) that don't have the sensitive data. We'll let you know when we implement an option here.
-Jason Fauchelle
Eric L.
Posted on
Dec 11 2014
I second that request. I just launched a small web app and I am having users register, currently with login/password. I just realized that, if they get an error on their register request or change password request, the actual password is being send to Raygun.io... big no-no for using this in a more professional environment. Any suggestions on how to pull out the password out of the error message. Or a recommendation on how to encrypt that in the request and decrypt it in asp.net MVC?
Jason Fauchelle
Raygun
Posted on
Dec 11 2014
Hi Eric,
We currently provide a few options that will allow you to prevent sending sensitive data for your scenario. If you are sending the login/password as form fields, you can set the "ignoreFormFieldNames" config option on the RaygunSettings tag in web.config. Set it to be a comma separated list of field names that you want to be ignored from all reports sent from Raygun4Net. Alternatively, you could set that config option to the wild card value * which will prevent Raygun4Net from sending any form values at all. Also, if you put * before, after or at both ends of an entry to the comma separated list, you can create an ends-with, starts-with or contains query.
Similarly, there are config options to prevent Raygun from sending other types of value: ignoreHeaderNames, ignoreCookieNames and ignoreServerVariableNames
If however you are sending the login/password within the request body, you could set the config option isRawDataIgnored to true which will prevent Raygun4Net sending the request body. Currently we don't have options to selectively look through the request body and pick pieces out of it before sending. (i.e. you can't specify bits of a JSON payload to be stripped out).
One of these features should be what you want. Please let me know if you have any questions about what I've explained here.
-Jason Fauchelle
Eric L.
Posted on
Dec 11 2014
Thanks Jason. I turned those on. we'll see how it looks shortly.