lognaturel
commented
3 years ago Thanks for filing this. As the report describes, the risk presented by using the default name is that it leaks what technologies that a server is built on. However, this is not relevant for an open source application such as ODK Aggregate -- the whole source code is available right here so it's trivial to find what technology it uses.
In Context file there needs to be a parameter for cookie name similar to this otherwise it would always default to
JSESSIONID.A sample would be
<Context useHttpOnly="false" sessionCookieName="JSID">Background Context: A security agency asked us to change the cookie name as a fix for (Session ID Name Fingerprinting)[https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-name-fingerprinting]