| SC-23 (1) Invalidate Session Identifiers At Logout | | This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs. The information system invalidates session identifiers upon user logout or other session termination. | SC-23 (2) User-Initiated Logouts / Message Displays | | Withdrawn: Incorporated into AC-12 (1). | SC-23 (3) Unique Session Identifiers With Randomization | | This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. The information system generates a unique session identifier for each session with Assignment: organization-defined randomness requirements and recognizes only session identifiers that are system-generated. | SC-23 (4) Unique Session Identifiers With Randomization | | Withdrawn: Incorporated into SC-23 (3). | SC-23 (5) Allowed Certificate Authorities | | Reliance on certificate authorities (CAs) for the establishment of secure sessions includes, for example, the use of Secure Socket Layer (SSL) and/or Transport Layer Security (TLS) certificates. These certificates, after verification by the respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers. The information system only allows the use of Assignment: organization-defined certificate authorities for verification of the establishment of protected sessions. | 