29Oca
Session token shown in the log file
I'm working on a JAVA web application running on Tomcat. A session token is generated and stored in a cookie when a user authenticates. Unfortunately, when tracing is enabled, Tomcat dumps the value of the cookies of incoming HTTP requests. This includes the session token in the JSESSIONID cookie!
Extra information:
- The application runs on the customer's premises.
- Tracing can be enabled in production by the customer itself. That will not gonna change. I can't prevent it. This point is outside the scope of this question.
- Tomcat is dumping the secret (as a side effect), not my own code.
- I don't need the session token to be traced.
Questions:
- Is this a problem? Should I be concerned?
- How to prevent Tomcat dumping the cookie value?
- As far as I understand all applications in the world running on Tomcat have the problem. How the others applications handle the problem?
Note: Best answer will provide answer to question #3 with pointer to documentation/blog/article.
