SessionManager emits Set-Cookie headers randomly (in the sense that it is unrelated to what URL was requested) in at least three cases:
- when the session is near expiry
- when the session is incorrect (e.g. the user name and ID don't match) or invalid (e.g. the user token does not match the one in the database), to delete the cookies
- when the user has no local session cookies but has CentralAuth second-level domain session cookies
Make sure all such events can easily be listed in Logstash, with at least the following information:
- type of the event (the three options above)
- username for which the cookies are issued
- IP of the request
- user agent of the request