UCF STIG Viewer Logo

The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.


Finding ID Version Rule ID IA Controls Severity
V-214375 AS24-W2-000460 SV-214375r803279_rule Medium
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the web server must terminate the user session to minimize the potential for an attacker to hijack that particular user session.
Apache Server 2.4 Windows Site Security Technical Implementation Guide 2021-09-27


Check Text ( C-15586r803277_chk )
Working with the administrator, inspect the module used to invalidate sessions upon logout or other organizationally defined event (such as removing a CAC).

Verify the session max age in that module is set to "1".

If it does not exist, this is a finding.

If the session max age is not set to "1", this is a finding.

Alternative instruction:
Log in to the site using a test account.

Log out of the site.

Confirm the session and session ID were terminated and use of the website is no longer possible.

If use of the site is still possible after logging out, this is a finding.
Fix Text (F-15584r803278_fix)
Edit the .conf file and add or set the session max age to "1".

This conf file can vary depending on what type of logon session ID management is being leveraged.