Request for Guidance on Modifying Parameter Name to Address Vulnerability Scan Concerns

[tonyliving]

Which version of Duende IdentityServer are you using?
7.0
Which version of .NET are you using?
8.0

My client requested a third-party security company to conduct a vulnerability scan, which identified the EndSessionCallback request's endSessionId parameter as sensitive information leakage due to the inclusion of the keyword session. My client has limited knowledge about security and asked us to make modifications. Could you provide a method to rename this parameter or change it to static readonly? I am considering using reflection to modify it.

[RolandGuijt]

Can you please explain why the parameter name would be a problem?
It's hard to change because it's hardcoded into IdentityServer.

From my perspective the only part of the parameter that could be vulnerable is its value. And that is encrypted.

[tonyliving]

Just because of the name, mainly because the client does not understand security-related knowledge and only listens to reports from third-party security companies.