id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
33606	Session ID should be cleansed from error reporting	Tobias Bengfort	Tobias Bengfort	"the session ID should be cleansed when reporting errors, just like other credentials. A patch is available at https://github.com/django/django/pull/15352.

See also #29714 and https://groups.google.com/g/django-developers/c/H5hJxpwYFcw.

A quick github search yielded multiple occasions where session IDs ended up in public bug reports:

https://github.com/GibbsConsulting/django-plotly-dash/issues/376
https://github.com/ome/omero-mapr/issues/42
https://github.com/jhelbert/great_teaching_network/issues/220
https://github.com/dzone/osqa/issues/355

I am sure you could find many  more. This could potentially be exploited by automatically searching for  such requests and hijacking the associated accounts."	Cleanup/optimization	closed	Error reporting	4.0	Normal	fixed			Ready for checkin	1	0	0	0	0	0