Summary
Session cookie values logged in Sentry issues, allowing for impersonation if injected into a cookie.
Cause
The Sentry Python SDK (specifically the Django Integration) sends the cookie values by default. In addition, Sentry SaaS / self-hosted is configured to send_default_pii.
Recommended Remediation
The Sentry Python SDK’s Django Integration should be patched to never send the value for SESSION_COOKIE_NAME or CSRF_COOKIE_NAME. These values should be scrubbed regardless of the send_default_pii setting.
Other web framework integrations should have similar scrubbing put in place.
The default self-hosted installation configuration should not default to True for send_default_pii. Users are unlikely to change this and it should be opt-in.
Summary
Session cookie values logged in Sentry issues, allowing for impersonation if injected into a cookie.
Cause
The Sentry Python SDK (specifically the Django Integration) sends the cookie values by default. In addition, Sentry SaaS / self-hosted is configured to send_default_pii.
Recommended Remediation
The Sentry Python SDK’s Django Integration should be patched to never send the value for SESSION_COOKIE_NAME or CSRF_COOKIE_NAME. These values should be scrubbed regardless of the send_default_pii setting.
Other web framework integrations should have similar scrubbing put in place.
The default self-hosted installation configuration should not default to True for send_default_pii. Users are unlikely to change this and it should be opt-in.