#28024 Session IDs only in hashed form in the log and monitor

Enhancement

Major

#27963

TL-Script: Access to the label of a specialized object in a given language

#27998

TL script function for filtering according to authorizations

#27999

Save composition references in different tables

#28049

OpenAPI interface in the user context

#28079

Preload for ForeignKeyStorage

Detail

#28005

Add model meta properties

#28012

TL script: Query whether object is transient

#28014

Improved number and image display on tiles and text alignment

#28017

Core theme: Reducing the spacing and adjusting the width of subtitles in forms

#28018

Improved display of dropdown buttons

#28036

Migration processors for model mapping

#28041

Extension of the TL icon font

#28051

Fast identifier allocation for high demand

#28057

KBCache for accesses and roles "by name"

#28058

Configurable copyright header in generated wrapper classes

#28061

Value conversion when setting values in transient objects

#28063

Define database column for HTML attributes

#28074

Cache application values of primitive types in the persistence layer

#28080

TL-Script: Deep Copy in batch mode with preload

Nice to have

#27867

Core-Theme: Script-Recorder Icons

#28050

Extract TL-Sync into own project

#28089

Rendering safety: Catching errors when rendering template variables

Bugfix

Major

#27750

Missing save request when closing dialog

#28035

Core theme: "comfort/compact" theme reduces the size of all charts

Detail

#27839

Duplicate tooltips on sidebar buttons

#27959

Updates of icons in form headers defective

#27996

Delete does not appear in the context menu of multi-selection components

#28002

Unchanged calculated default value is overwritten when saving

#28003

Application crashes, if some themes or some layouts have errors

#28004

Error when saving new classifiers in a TLEnum

#28011

Incorrect classification of association endings in compositions

#28013

Script Recorder: Saving scripts does not show the file name field

#28015

Core theme: The compact version is usually selected as the default

#28021

Buttons in the declarative form are not at the same height

#28024

Session IDs only in hashed form in the log and monitor

#28027

Calculated attributes are not evaluated in transient objects

#28028

Order of calculated columns is not taken into account in the standard columns

#28030

No replay for version upgrade from TL-6 to TL-7.8

#28048

Sequence of migration instructions is incorrect

#28062

A module always loads all its types unnecessarily

#28075

Missing "abstract" property for TLProperty's

Nice to have

#28006

Addition of missing @TemplateType annotations for ThemeVar variables

#28043

Error in SQL migration utility

#28072

Migration for #27517 (User Management) crashes with inconsistencies

#28090

IDEFileSystemCache logs errors with fast creation and subsequent deletion

Bugfix

Detail

#28024

Session IDs only in hashed form in the log and monitor

SecurityIssue

With #27720, log messages from user sessions are provided with the session ID. This is unfavorable from a security point of view, as it may allow a reader of the log file to take over a session.

The display of the session ID in the user monitor is also questionable from this point of view.

See https://cheatshe etseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

Solution

Create an additional identifier for the session (hash value of the session ID) and use it to find logs of a session.

Test

No automatic test, as too time-consuming.

Start the application, use it, for example produce errors via the error pages in the technical demo and check that no log message contains the real session ID but only the hashed one. The latter has the form S(...), with a Base64 value in brackets.
The "Administration > Monitor > User history" view also only shows the hashed session ID.