Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there any reason not to deploy pdb files to a production web server?

Tags:

.net

asp.net

debugging

I'm working on an ASP.NET web site and I'd like to deploy the pdb files because when unexpected exceptions are thrown, I want to log them with line numbers so I can track down the problem.

But I'm concerned about security and performance.

Is there any security risk to having pdb files on a web server, if I use the stack trace information to log to a non-public file on the web server and don't show it to the user?

As far as performance, I know that it's more expensive to deal with exceptions when there's a pdb file, but the goal is not to have any exceptions, and on the rare case when they occur, to get good tracing data so we can fix the problem.

But one thing I'm not clear about is this: if an exception is thrown and caught, do I still pay the pdb penalty? I'm thinking particularly about the ThreadAbortException thrown when you Response.Redirect. This is a legacy app with a lot of these as part of normal program flow, and so I just catch and ignore these exceptions, but will the presence of a pdb file make this much more costly? Or does .NET ignore the pdb file unless you ask for the stack trace (which I don't, for this particular exception)?

Beyond that, as long as there are no exceptions except for ones I really do want to know about in detail, is there any performance hit from deploying pdb files to the web server?

like image 804
Joshua Frank Avatar asked Feb 19 '14 17:02

Joshua Frank

2 Answers

As for security I can't see any real issues with deploying a PDB. The PDB just contains

  • Mapping between source lines and IL offsets
  • Names of locals
  • Names of source files
  • List of using directives relevant to a given function

Even if the PDB information was leaked I wouldn't consider any of that sensitive information

As for performance the mere presence of a PDB isn't going to change the execution logic of your application. It's only relevant for debugging purposes and normal execution doesn't interact with it

like image 71
JaredPar Avatar answered Oct 15 '22 18:10

JaredPar

I agree with JaredPar, though you might consider that that most of the things he has listed make it even easier to decompile and reverse engineer your site if the server is hacked.

On the other side,it would also be relatively easy (though with a bit more work) to reverse engineer it without the PDBs, so it's only a minor security risk. Also, depending on the scope of your web site reverse engineering might not even be an issue.

like image 42
Adrian Grigore Avatar answered Oct 15 '22 18:10

Adrian Grigore
Sign in to Comment

Related questions

Compile error: CS0433 type in conflict with imported type
Data Level Authorization in ASP.Net MVC 3
How to call a view of another controller in mvc4
ASP.NET EventValidation fails when .NET 4.5 Framework is installed in only one server behind the load balancer
Pass array to code behind from jquery ajax
Use TypeScript in ASP.NET MVC
Running a Windows Scheduled Task from ASP.net
Localization in ASP.NET MVC 4 using App_GlobalResources
Custom error page not getting called
jQuery's chosen plugin on dropdownlists looks odd?
ClaimsIdentity in ASP.NET MVC 5
Line up X axis labels with chart columns (ASP.Net Chart control)
xslt in ASP.NET
how to place two tables side by side using itext sharp
Header checkbox checks gridview rows however interface shows otherwise
Why master page doesn't have PreInit event in ASP.NET?
Mixing Windows and Forms authentication in .NET 4.5: how to keep Request.IsAuthenticated = false until after forms authentication ticket is created?
Why are components of my custom control not initiated?
How to stop crystal report viewer from asking login credentials when opening subreport
.Net Claims Auth -- Unable to set current principal

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!