November Happy Hour will be moved to Thursday December 5th.
Currently, active bearer tokens are exposed at the "INFO" log level by the IdentityAuthorizationServerProvider class, ie;
_log.Information($"Authentication Request: {GetRequestInfo(context)}");
This allows any malicious user with read-access to logs to assume the identity of any currently active user, including administrative users.
To prevent session hijacking raw session tokens should not be exposed (ref OWASP: http://owasp-aasvs.readthedocs.io/en/latest/requirement-3.6.html)
If session based troubleshooting\diagnostics is required, a common approach is to one-way hash (eg MD5) the session token before recording it.
This I can agree with - at least partly - The level of logging should have been DEBUG. The reason was it can be later used for debugging and diagnosis. I will file a bug for it. Thanks.
Currently, active bearer tokens are exposed at the "INFO" log level by the IdentityAuthorizationServerProvider class, ie;
_log.Information($"Authentication Request: {GetRequestInfo(context)}");
This allows any malicious user with read-access to logs to assume the identity of any currently active user, including administrative users.
To prevent session hijacking raw session tokens should not be exposed (ref OWASP: http://owasp-aasvs.readthedocs.io/en/latest/requirement-3.6.html)
If session based troubleshooting\diagnostics is required, a common approach is to one-way hash (eg MD5) the session token before recording it.