Project

General

Profile

Bug #26957

Updated by Lukas Zapletal about 4 years ago

We send the data to correlate logs but instead request we send session id. This is confusing, I am going to actually send both.

Edit: Also, second part of the problem is that we send session id, which could be vulnerable to session hijacking. We must only send logging_token which is a randomly generated token stored in the session. -- this is actually not true, session mdc field is not vulnerable.

Back