debug log ids shouldn't be predictable

Description

the debug log ids are rather predictable

https://github.com/lucee/Lucee/blob/5.3/core/src/main/java/lucee/runtime/debug/DebuggerImpl.java#L659

it would be more secure to append some random value so they can't be easily guessed

Activity

Show:
Pothys - MitrahSoft
July 17, 2019, 12:10 PM

I've added a fix to show the random value for the debug log id for this ticket.

Pull request: https://github.com/lucee/Lucee/pull/723

Zac Spitzer
July 17, 2019, 4:47 PM

could you add pci.getRequestId() and pci.getId() as individual properties too?

It’s very useful if you want to analyse a user's session, you can follow thru their debug logs sequentially

 

Pothys - MitrahSoft
July 18, 2019, 11:10 AM

I added the existing id as usual with the updated name called as "default_id".
This is the output of my changes.

Micha will confirm these changes.

Zac Spitzer
July 18, 2019, 11:36 AM

I'd prefer two fields rather than a compound key, if I'm going to use them, I'm just going to always ListToArray

Zac Spitzer
July 26, 2019, 12:02 PM

is this improvement going to make it into 5.3.4 ?

Fixed

Assignee

Michael Offner

Reporter

Zac Spitzer

Labels

Affects versions

Priority

New
Configure