Add a mechanism to stop LifecycleLogger.scala from logging out value of JSESSIONID

[aasaru]

Orbeon logs out value of JSESSION id cookie:

2022-03-25 08:52:48,458 org.orbeon.oxf.logging.LifecycleLogger$.event(LifecycleLogger.scala:103) INFO lifecycle - event: {"request": "1", "session": "EB57E453E2A45DFB5256F82031F60D87", "source": "service", "message": "start: handle"}

According to OWASP v4.0.3 V7.1.1:

Verify that the application does not log credentials or payment details. Session tokens should only be stored in logs in an irreversible, hashed form.

Problem is that whoever has access to logs could take over user's session.

Possible solutions:

• add a configuration key to replace value of JSESSIONID with "***" or with a hashed value of JSESSIONID
• log out JSESSIONID with a different logger (so it would be able to exclude it from being logged out).

[ebruchez]

I think that's a reasonable suggestion.