0

Short version: Is it not recommended to store sessionId in log files/database in plaintext (considering it may put active sessions at risk)? If yes, why do I see many queries on how to log sessionId?

Details: I have come across multiple resources related to security engineering which discuss why we should not log the sessionId in to application log files or store it in DB in plaintext format. For example, this is one of them - https://www.stigviewer.com/stig/application_security_and_development/2017-12-18/finding/V-69363. It recommends some kind of use of some hashed values to identify unique sessions.

However, while I was working with Spring Security library (one of the most prominent one in Java platform), I could find the session Id in plaintext was available in the logs in DEBUG mode. This value was the exact JSESSIONID that I received in Set-Cookie header of the response.

In addition, I could also find several queries and resolutions related to logging the session Id in apache, logging frameworks etc. in the internet.

Looking at these, I am now confused if it really not a good practice to log the session Id. Could somebody please provide some more clarity.

ramtech
  • 103
  • 3
  • 1
    It's probably ok for debugging purposes, not something to enable in a live environment. If a session ID is tied to the IP and expires pretty soon (at every session), the threat of stolen IDs might be mitigated. Otherwise, storing them anywhere in plaintext is going to be a risk. – reed May 17 '21 at 13:17

2 Answers2

2

You are right, it is not recommended to log sensitive information (passwords, session IDs, credit cards, etc) as log files may be handled less securely than storage that is specifically designed for this information.

But it is also not recommended to run debug mode in production, as it may introduce security issues. Spring Security for example documents this:

This may include sensitive information, such as request parameters or headers, and should only be used in a development environment.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Thanks for that Spring documentation link. With that, now I'm getting consistent answers from all sides and that helps to gain clarity. +1 – ramtech May 18 '21 at 19:09
2

Keep in mind: anyone with access to the logs can immediately take over the logged session (if it is not expired and not tied to e.g. the client IP). That can be an immense risk, even if this is not production.

It is much safer to log a hash of the session ID (which is also better than logging a truncated version of the session ID), since the sole purpose is usually to see the activity per session, so it is not necessary to know the actual session ID, but another unique identifier (like a hash) is fine as well. Of course this assumes that the session ID itself is generated randomly using a secure random generator and that a proper cryptographic hash function (like SHA-256) is used in order to minimize the risk of hash collisions.

thomas.schuerger
  • 21
  • 1