> I haven't tried it yet, but can't I use that info to hijack the session?
You can...
Create a cookie: (please excuse the full stops as spaces, didn't trust it
to render correctly)
Key............................... Value
JSESSIONID ................ 7asvmtwoesbc6ia3e4kxtzrl
sessionKey ................... ec6h46Om8a1y3d%252BhrdIpQ85cAfc%25**3D
and pass all requests with a parameter of:
sessionkey = ec6h46Om8a1y3d%2BhrdIpQ85cAfc%**3D
> So that api.log file really needs to be protected in the same way a file
with a password in it would be
I don't have the manager deployed anywhere to test this but I would hope
the log file is read/write only to the owner user.
> I would suggest that we just don't log the sessionId or sessionKey.
+1 to that.
On 13 September 2013 21:40, Darren Shepherd <darren.s.sheph...@gmail.com>wrote:
> I just noticed api.log which seems to log all the API access in a form like
>
> 2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer] (2011638958@qtp-
> 657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2 accountId=2
> sessionId=**7asvmtwoesbc6ia3e4kxtzrl)
> 127.0.0.1 -- GET command=listZones&response=**json&sessionkey=**
> ec6h46Om8a1y3d%2BhrdIpQ85cAfc%**3D&_=1379055729422 200 {
> "listzonesresponse" : { "count":1 ,"zone" : [ {"id":"cdaf82f1-3b57-4aa4-**
> b3ce-b60173ed45f2","name":"**zone1","dns1":"8.8.8.8","dns2"**
> :"8.8.4.4","internaldns1":"8.**8.4.4","networktype":"Basic","**
> securitygroupsenabled":true,"**allocationstate":"Enabled","**
> zonetoken":"6dce94e8-e8dc-**3077-bfde-c6e8594bd449","**
> dhcpprovider":"VirtualRouter",**"localstorageenabled":false} ] } }
>
> The sessionId and sessionKey is logged in the file. I haven't tried it
> yet, but can't I use that info to hijack the session? That introduces a
> security issue in that any server operator can now hijack anybody's
> session. So that api.log file really needs to be protected in the same way
> a file with a password in it would be.
>
> I would suggest that we just don't log the sessionId or sessionKey.
>
> Darren
>
