The application must not re-use or recycle session IDs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-70215	APSC-DV-002280	SV-84837r1_rule		Medium

Description
Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework. Session identifiers are assigned to application users so they can be uniquely identified. This allows the user to customize their web application experience and also allows the developer to differentiate between users thereby providing the opportunity to customize the user’s features and functions. Once a user has logged out of the application or had their session terminated, their session IDs should not be re-used. Session IDs should also not be used for other purposes such as creating unique file names and they should also not be re-assigned to other users once the original user has logged out or otherwise quit the application. Allowing session ID reuse increases the risk of replay attacks. Session testing is a detailed undertaking and is usually done in the course of a web application vulnerability or penetration assessment.

Description

Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework. Session identifiers are assigned to application users so they can be uniquely identified. This allows the user to customize their web application experience and also allows the developer to differentiate between users thereby providing the opportunity to customize the user’s features and functions. Once a user has logged out of the application or had their session terminated, their session IDs should not be re-used. Session IDs should also not be used for other purposes such as creating unique file names and they should also not be re-assigned to other users once the original user has logged out or otherwise quit the application. Allowing session ID reuse increases the risk of replay attacks. Session testing is a detailed undertaking and is usually done in the course of a web application vulnerability or penetration assessment.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2017-01-09

Details

Check Text ( C-70691r1_chk )
Review the application documentation and interview the application administrator to identify how the application generates user session IDs. Application session testing is required in order to verify this requirement. Request the latest application vulnerability or penetration test results. Verify the test configuration includes session handling vulnerability tests. If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding. If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Check Text ( C-70691r1_chk )

Review the application documentation and interview the application administrator to identify how the application generates user session IDs.

Application session testing is required in order to verify this requirement.

Request the latest application vulnerability or penetration test results.

Verify the test configuration includes session handling vulnerability tests.

If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.

If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Fix Text (F-76451r1_fix)
Design the application to not re-use session IDs.