UCF STIG Viewer Logo

The Apache web server must generate unique session identifiers with definable entropy.


Finding ID Version Rule ID IA Controls Severity
V-214335 AS24-W1-000530 SV-214335r505936_rule Medium
Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. Random and unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Random session identifiers help to reduce predictability of said identifiers. The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. For this purpose, a good Pseudo Random Number Generator (PRNG) must be used. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions. At least half of a session ID must be created using a definable source of entropy (PRNG).
Apache Server 2.4 Windows Server Security Technical Implementation Guide 2021-09-27


Check Text ( C-15547r277508_chk )
Review the <'INSTALLED PATH'>\conf\httpd.conf file.

Verify the "ssl_module" is loaded.

If it does not exist, this is a finding.

If the "SSLRandomSeed" directive is missing or does not look like the following, this is a finding:

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
Fix Text (F-15545r277509_fix)
Edit the <'INSTALLED PATH'>\conf\httpd.conf file and load the "ssl_module" module.

Set the "SSLRandomSeed" directives to the following:

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Restart the Apache service.