SV.IL.SESSION

Logging of session id

Klocwork reports a SV.IL.SESSION defect when the session ID of the server or client is logged into application logs.

Vulnerability and risk

Sensitive data such as the session ID should not be included in the logs in order to protect the session logs against session ID local or remote disclosure or unauthorized access.

Mitigation and prevention

Log a salted-hash of the session ID instead of the session ID itself in order to allow for session-specific log correlation without exposing the session ID.

Vulnerable code example 1

Copy
import javax.servlet.http.*;
import javax.servlet.*;
import java.security.*;
import java.io.*;
 
class Test{
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         HttpSession session = request.getSession();
         String id = session.getId();
         request.getSession().getServletContext().log("Session id is: " + id);
    }
}

Klocwork reports an SV.IL.SESSION defect on line 10, indicating, "Logging session id can lead to hijacking of active sessions".

Fixed code example 1

Copy
import jakarta.servlet.http.*;
import jakarta.servlet.*;
import java.security.*;
import java.io.*;
 
class Test{
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         HttpSession session = request.getSession();
         String id = session.getId();
         String hashid = getHashValue(id);
         request.getSession().getServletContext().log("Session id: " + hashid);
    }
 
    public static String getHashValue(String str)
    {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            byte[] messageDigest = md.digest(str.getBytes("UTF-8"));
            BigInteger no = new BigInteger(1, messageDigest);
           String hashtext = no.toString(16);
            while (hashtext.length() < 32) {
                hashtext = "0" + hashtext;
            }
            return hashtext;
        }
        catch (Exception e) {
            throw new RuntimeException(e);
        }
}
}

In this fixed example, Klocwork no longer reports an issue because the hash value of the session ID is logged.

Vulnerable code example 2

Copy
import jakarta.servlet.http.*;
import jakarta.servlet.*;
import java.security.*;
import java.io.*;
 
class Test{
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         String id = request.getRequestedSessionId();
         request.getSession().getServletContext().log("Session id is: " + id);
    }
}

Klocwork reports an SV.IL.SESSION defect on line 9, indicating, "Logging session id can lead to hijacking of active sessions".

Fixed code example 2

Copy
import javax.servlet.http.*;
import javax.servlet.*;
import java.security.*;
import java.io.*;
 
class Test{
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
         String id = request.getRequestedSessionId();
         String hashid = getHashValue(id);
         request.getSession().getServletContext().log("Session id: " + hashid);
    }
 
    public static String getHashValue(String str)
    {
        try {
            MessageDigest md = MessageDigest.getInstance("SHA-256");
            byte[] messageDigest = md.digest(str.getBytes("UTF-8"));
            BigInteger no = new BigInteger(1, messageDigest);
           String hashtext = no.toString(16);
            while (hashtext.length() < 32) {
                hashtext = "0" + hashtext;
            }
            return hashtext;
        }
        catch (Exception e) {
            throw new RuntimeException(e);
        }
}
}

In this fixed example, Klocwork no longer reports an issue because the hash value of the session ID is logged.

Security training

Application security training materials provided by Secure Code Warrior.