I just noticed api.log which seems to log all the API access in a form like
2013-09-13 00:02:09,451 INFO [a.c.c.a.ApiServer] (2011638958@qtp-657397168-0:ctx-81b1e088 ctx-174e4a62) (userId=2 accountId=2 sessionId=7asvmtwoesbc6ia3e4kxtzrl) 127.0.0.1 -- GET command=listZones&response=json&sessionkey=ec6h46Om8a1y3d%2BhrdIpQ85cAfc%3D&_=1379055729422 200 { "listzonesresponse" : { "count":1 ,"zone" : [ {"id":"cdaf82f1-3b57-4aa4-b3ce-b60173ed45f2","name":"zone1","dns1":"8.8.8.8","dns2":"8.8.4.4","internaldns1":"8.8.4.4","networktype":"Basic","securitygroupsenabled":true,"allocationstate":"Enabled","zonetoken":"6dce94e8-e8dc-3077-bfde-c6e8594bd449","dhcpprovider":"VirtualRouter","localstorageenabled":false} ] } }
The sessionId and sessionKey is logged in the file. I haven't tried it yet, but can't I use that info to hijack the session? That introduces a security issue in that any server operator can now hijack anybody's session. So that api.log file really needs to be protected in the same way a file with a password in it would be.
I would suggest that we just don't log the sessionId or sessionKey. Darren
