A session id should not be used in application logs or as an identifier (in a cache, blacklist, &etc.) because its use could leave user sessions vulnerable to theft if the application is compromised in some other way.


== Noncompliant Code Example

[source,text]
----
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException  {
  HttpSession session = request.getSession(false);
  String sessionId = session.getId();  // Noncompliant

  // ...
}
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication