Bug #26957
Updated by Lukas Zapletal about 4 years ago
We send the data to correlate logs but instead request we send session id. This is confusing, I am going to actually send both.
Edit: Also, second part of the problem is that we send session id, which could be vulnerable to session hijacking. We must only send logging_token which is a randomly generated token stored in the session. -- this is actually not true, session mdc field is not vulnerable.
Edit: Also, second part of the problem is that we send session id, which could be vulnerable to session hijacking. We must only send logging_token which is a randomly generated token stored in the session. -- this is actually not true, session mdc field is not vulnerable.