Project

General

Profile

Bug #26957

Updated by Lukas Zapletal almost 6 years ago

We send the data to correlate logs but instead request we send session id. This is confusing, I am going to actually send both. 

 Edit: Also, second part of the problem is that we send session id, which could be vulnerable to session hijacking. We must only send logging_token which is a randomly generated token stored in the session. -- this is actually not true, session mdc field is not vulnerable.

Back