From 3db1e4212ce896b3d4ec4ac9ee10c1ec07a46db5 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <machniak@kolabsys.com>
Date: Fri, 19 Apr 2019 11:46:39 +0200
Subject: [PATCH] Don't log full session identifiers

---
 plugins/kolab_auth/kolab_auth.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php
index 91d1c751..af4f5f7b 100644
--- a/plugins/kolab_auth/kolab_auth.php
+++ b/plugins/kolab_auth/kolab_auth.php
@@ -874,11 +874,15 @@ class kolab_auth extends rcube_plugin
                 $username = sprintf('%s (as user %s)', $username, $login_as);
             }
 
+            // Don't log full session id for better security
+            $session_id = session_id();
+            $session_id = $session_id ? substr($session_id, 0, 16) : 'no-session';
+
             $message = sprintf(
                 "Failed login for %s from %s in session %s %s",
                 $username,
                 rcube_utils::remote_ip(),
-                session_id() ?: 'no-session',
+                $session_id,
                 $message ? "($message)" : ''
             );