I'd like to suggest an improvement for the <access-log> configuration in
context of security improvements.

So far I've been logging the value of the JSESSIONID cookie with every
request in the access.log.

It's configured like this (Resin-3.1):
 <access-log path="logs/access.log"
            format='%h %l %u %t "%r" %s %b "%{Referer}i"
"%{User-Agent}i"#Sess: %{JSESSIONID}c'

An activity to obviate the TOP3 of the most critical web application
security risks which is "Broken Authentication and Session Management" (see
OWASP Top 10 – 2010), one should follow the advice in resin.conf:
       - For security, use a different cookie for SSL sessions.
       - <ssl-session-cookie>SSL_JSESSIONID</ssl-session-cookie>

Afterwards, the access-log configuration would still log the non-ssl cookie
(JSESSIONID) and therefore one must extend the access-log format with
another "%{SSLJSESSIONID}c".

It would be nice if there would exist a format-pattern such as

    %S    SessionId of Request (representing getId() of

Then it would be sufficient to configure the format pattern of <access-log>
like this:
            format='%h %l %u %t "%r" %s %b "%{Referer}i"
"%{User-Agent}i"#Sess: %S'
and the access.log would contain the JSESSIONID value for http requests and
JSESSIONID for https requests.

-- Steffen
resin-interest mailing list

Reply via email to