I'd like to suggest an improvement for the <access-log> configuration in
context of security improvements.
Background:
So far I've been logging the value of the JSESSIONID cookie with every
request in the access.log.
It's configured like this (Resin-3.1):
<access-log path="logs/access.log"
format='%h %l %u %t "%r" %s %b "%{Referer}i"
"%{User-Agent}i"#Sess: %{JSESSIONID}c'
archive-format="access-%Y%m%d.log.gz"
rollover-period="1W"/>
An activity to obviate the TOP3 of the most critical web application
security risks which is "Broken Authentication and Session Management" (see
OWASP Top 10 – 2010), one should follow the advice in resin.conf:
<!--
- For security, use a different cookie for SSL sessions.
- <ssl-session-cookie>SSL_JSESSIONID</ssl-session-cookie>
-->
Afterwards, the access-log configuration would still log the non-ssl cookie
(JSESSIONID) and therefore one must extend the access-log format with
another "%{SSLJSESSIONID}c".
It would be nice if there would exist a format-pattern such as
%S SessionId of Request (representing getId() of
javax.servlet.http.HttpSession)
Then it would be sufficient to configure the format pattern of <access-log>
like this:
format='%h %l %u %t "%r" %s %b "%{Referer}i"
"%{User-Agent}i"#Sess: %S'
and the access.log would contain the JSESSIONID value for http requests and
JSESSIONID for https requests.
-- Steffen
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest
