> I haven't tried it yet, but can't I use that info to hijack the session?
You can... Create a cookie: (please excuse the full stops as spaces, didn't trust it to render correctly) Key............................... Value JSESSIONID ................ 7asvmtwoesbc6ia3e4kxtzrl sessionKey ................... ec6h46Om8a1y3d%252BhrdIpQ85cAfc%25**3D and pass all requests with a parameter of: sessionkey = ec6h46Om8a1y3d%2BhrdIpQ85cAfc%**3D > So that api.log file really needs to be protected in the same way a file with a password in it would be I don't have the manager deployed anywhere to test this but I would hope the log file is read/write only to the owner user. > I would suggest that we just don't log the sessionId or sessionKey. +1 to that. On 13 September 2013 21:40, Darren Shepherd <[email protected]>wrote: > I just noticed api.log which seems to log all the API access in a form like > > 2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer] (2011638958@qtp- > 657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2 accountId=2 > sessionId=**7asvmtwoesbc6ia3e4kxtzrl) > 127.0.0.1 -- GET command=listZones&response=**json&sessionkey=** > ec6h46Om8a1y3d%2BhrdIpQ85cAfc%**3D&_=1379055729422 200 { > "listzonesresponse" : { "count":1 ,"zone" : [ {"id":"cdaf82f1-3b57-4aa4-** > b3ce-b60173ed45f2","name":"**zone1","dns1":"8.8.8.8","dns2"** > :"8.8.4.4","internaldns1":"8.**8.4.4","networktype":"Basic","** > securitygroupsenabled":true,"**allocationstate":"Enabled","** > zonetoken":"6dce94e8-e8dc-**3077-bfde-c6e8594bd449","** > dhcpprovider":"VirtualRouter",**"localstorageenabled":false} ] } } > > The sessionId and sessionKey is logged in the file. I haven't tried it > yet, but can't I use that info to hijack the session? That introduces a > security issue in that any server operator can now hijack anybody's > session. So that api.log file really needs to be protected in the same way > a file with a password in it would be. > > I would suggest that we just don't log the sessionId or sessionKey. > > Darren >
