Include the client session ID in debug "reject new channel" logs.

psiphon/server/config.go

@@ -73,6 +73,8 @@ type Config struct {
 
 	// LogLevel specifies the log level. Valid values are:
 	// panic, fatal, error, warn, info, debug
+	//
+	// Some debug logs can contain user traffic destination address information.
 	LogLevel string
 
 	// LogFilename specifies the path of the file to log

psiphon/server/tunnelServer.go

@@ -3942,10 +3942,13 @@ func (sshClient *sshClient) rejectNewChannel(newChannel ssh.NewChannel, logMessa
 	// - We limit the failure information revealed to the client.
 	reason := ssh.Prohibited
 
-	// Note: Debug level, as logMessage may contain user traffic destination address information
+	// This log is Debug level, as logMessage can contain user traffic
+	// destination address information such as in the "LookupIP failed"
+	// and "DialTimeout failed" cases in handleTCPChannel.
 	if IsLogLevelDebug() {
 		log.WithTraceFields(
 			LogFields{
+				"sessionID":    sshClient.sessionID,
 				"channelType":  newChannel.ChannelType(),
 				"logMessage":   logMessage,
 				"rejectReason": reason.String(),