I am having an issue with hard to reproduce issue of facebook login timeouts with my app so opened a ticket with facebook. They asked me to send them a user access token from when the issue occurred. As the issue is hard to reproduce I would need to log the access token, so it would be in our log files but also on our log analysis tool, is it risky for the access token to be in our log file and on our analysis tool, assuming its not publicly available?
You should not log access tokens. Anyone who has access to access tokens can temporarily hijack those accounts.
If you follow the Oauth guidance, your access tokens should have short life, which reduces the risk. Nevertheless, the amount of users that may be exposed from logging of these tokens makes it of serious concern.
The threat of access tokens in log files is discussed in the Oauth threat model.
Actually they said to always make sure access token is secure so I wont be including it in the log file
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With