UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Apache web server must perform server-side session management.


Overview

Finding ID Version Rule ID IA Controls Severity
V-92487 AS24-W2-000020 SV-102575r1_rule Medium
Description
Session management is the practice of protecting the bulk of the user authorization and identity information. Storing of this data can occur on the client system or on the server. When the session information is stored on the client, the session ID, along with the user authorization and identity information, is sent along with each client request and is stored in a cookie, embedded in the uniform resource locator (URL), or placed in a hidden field on the displayed form. Each of these offers advantages and disadvantages. The biggest disadvantage to all three is the hijacking of a session along with all of the user's credentials. When the user authorization and identity information is stored on the server in a protected and encrypted database, the communication between the client and web server will only send the session identifier, and the server can then retrieve user credentials for the session when needed. If, during transmission, the session were to be hijacked, the user's credentials would not be compromised.
STIG Date
Apache Server 2.4 Windows Site Security Technical Implementation Guide 2019-10-03

Details

Check Text ( C-91789r1_chk )
In a command line, navigate to <'INSTALL PATH'>\bin. Run "httpd -M" to view a list of installed modules.

If the module "mod_session" is not enabled, this is a finding.
Fix Text (F-98729r1_fix)
Uncomment the "mod_session" module in the <'INSTALLED PATH'>\conf\httpd.conf file.

Additional documentation can be found at:

https://httpd.apache.org/docs/2.4/mod/mod_usertrack.html

https://httpd.apache.org/docs/2.4/mod/mod_session.html