Foreman sends session instead request as X-Request-Id
We send the data to correlate logs but instead request we send session id. This is confusing, I am going to actually send both.
Edit: Also, second part of the problem is that we send session id, which could be vulnerable to session hijacking. We must only send logging_token which is a randomly generated token stored in the session. -- this is actually not true, session mdc field is not vulnerable.
#1 Updated by Lukas Zapletal almost 4 years ago
- Description updated (diff)
#2 Updated by The Foreman Bot almost 4 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/6827 added
#3 Updated by Lukas Zapletal almost 4 years ago
- Related to Bug #26962: Send also session id to structured logs added
#4 Updated by Tomer Brisker almost 4 years ago
- Fixed in Releases 1.22.1, 1.23.0 added
#5 Updated by Lukas Zapletal almost 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset 48af620c0c1020fe4c34ab6f0b612c5e71387795.
Fixes #26957 - send request id instead session to proxy