Currently sessions are restored by trusting the cookie from the browser. And the session IDs are printed in the logs, which means the sessions can be copied by admins having access to the gateway logs.
Suggestion:
Sign the session ID with asymmetric encryption and use "SessionID+Signature" as a cookie
In the logs, only print the session ID. This allows debugging, but makes session hijacking more complex (need access to logs AND private key used for signing).
leafty
commented
2 weeks ago
Currently sessions are restored by trusting the cookie from the browser. And the session IDs are printed in the logs, which means the sessions can be copied by admins having access to the gateway logs.
Suggestion: