Bug #26957
Updated by Lukas Zapletal almost 6 years ago
We send the data to correlate logs but instead request we send session id. This is confusing, I am going to actually send both. Edit: Also, second part of the problem is that we send session id, which could be vulnerable to session hijacking. We must only send logging_token which is a randomly generated token stored in the session. -- this is actually not true, session mdc field is not vulnerable.