Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-70147 | APSC-DV-001800 | SV-84769r1_rule | Medium |
Description |
---|
Simply removing a user from a web application without terminating any existing application user sessions can introduce a scenario where the deleted user still has access to the application even though their account has been deleted from the authentication store. This can be attributed to browser caching and session management on the web server. To address this, the web application must provide a means for ensuring this type of "zombie" access does not occur. Applications must provide a user management feature or function that will terminate any existing user sessions at the same time or just before the user account is terminated from the authoritative authentication source. |
STIG | Date |
---|---|
Application Security and Development Security Technical Implementation Guide | 2017-03-20 |
Check Text ( C-70623r1_chk ) |
---|
Review the application documentation and interview the application administrator. Identify the user management functions of the application and create a test user account. Access the application and perform application functions as the test user. Access the user management functions and delete the test account while the test user sessions are still active. Verify the test user application sessions are terminated by attempting to perform additional application functions. If the test user retains access after the test account has been deleted, this is a finding. |
Fix Text (F-76383r1_fix) |
---|
Configure the application to terminate existing sessions of users whose accounts are deleted. |