I'd like to suggest an improvement for the <access-log> configuration in context of security improvements.
Background: So far I've been logging the value of the JSESSIONID cookie with every request in the access.log. It's configured like this (Resin-3.1): <access-log path="logs/access.log" format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"#Sess: %{JSESSIONID}c' archive-format="access-%Y%m%d.log.gz" rollover-period="1W"/> An activity to obviate the TOP3 of the most critical web application security risks which is "Broken Authentication and Session Management" (see OWASP Top 10 – 2010), one should follow the advice in resin.conf: <!-- - For security, use a different cookie for SSL sessions. - <ssl-session-cookie>SSL_JSESSIONID</ssl-session-cookie> --> Afterwards, the access-log configuration would still log the non-ssl cookie (JSESSIONID) and therefore one must extend the access-log format with another "%{SSLJSESSIONID}c". It would be nice if there would exist a format-pattern such as %S SessionId of Request (representing getId() of javax.servlet.http.HttpSession) Then it would be sufficient to configure the format pattern of <access-log> like this: format='%h %l %u %t "%r" %s %b "%{Referer}i" "%{User-Agent}i"#Sess: %S' and the access.log would contain the JSESSIONID value for http requests and JSESSIONID for https requests. -- Steffen
_______________________________________________ resin-interest mailing list resin-interest@caucho.com http://maillist.caucho.com/mailman/listinfo/resin-interest