Rudder

There's some loggers that display sensitive information like websession at trace or debug level. This is their goal (for ex to debug session problems), so we can't really "correct" that behavior.
So we need to add a warning section in logback.xml to alert people about that fact.

From parent, we found :

Session ID/cookie¶

We also have clear text session cookies:

DEBUG comet_trace - AJAX Request: node0511q903kiekr5o6wxww1ackn8 Map(F517770518092OA1LPL -> List(true))
DEBUG comet_trace - AJAX Response: node0511q903kiekr5o6wxww1ackn8 InMemoryResponse(
TRACE application - Session node0511q903kiekr5o6wxww1ackn8 inactive for 2462ms / 1800000ms (Full(Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0))
TRACE application - Session node0511q903kiekr5o6wxww1ackn8 inactive for 12462ms / 1800000ms (Full(Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0))

DEBUG org.springframework.security.web.session.HttpSessionEventPublisher - Publishing event: org.springframework.security.web.session.HttpSessionCreatedEvent[source=Session@79246b96{id=node0511q903kiekr5o6wxww1ackn8,x=node0511q903kiekr5o6wxww1ackn8.node0,req=1,res=true}]
DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Started new session: node0511q903kiekr5o6wxww1ackn8
DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Stored SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=RudderUserDetail(User(michel,$2b$12$cLxQd6r1qsu0e/psDyL0EuRAhhfHiuApN91cqQlPjyzSuoYcmolY6),Set(Administrator),ACL(List(ApiAclElement(Root(List()),HashSet(HEAD, PUT, GET, POST, DELETE))))), Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=node01ujpvbr7i82u5uhah1mcf0a867], Granted Authorities=[ROLE_USER]]] to HttpSession [Session@79246b96{id=node0511q903kiekr5o6wxww1ackn8,x=node0511q903kiekr5o6wxww1ackn8.node0,req=1,res=true}]