Applications must use system-generated session identifiers that protect against session fixation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222579	APSC-DV-002250	SV-222579r508029_rule		Medium

Description
Session fixation allows an attacker to hijack a valid user’s application session. The attack focuses on the manner in which a web application manages the user’s session ID. Applications become vulnerable when they do not assign a new session ID when authenticating users thereby using the existing session ID. Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework. In many cases, creating a new session ID cookie containing a new unique value whenever authentication is performed will address the issue of session fixation. Allowing the user to submit a session ID also introduces the risk that the application could be subject to a session fixation attack.

Description

Session fixation allows an attacker to hijack a valid user’s application session. The attack focuses on the manner in which a web application manages the user’s session ID. Applications become vulnerable when they do not assign a new session ID when authenticating users thereby using the existing session ID. Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided session management framework. In many cases, creating a new session ID cookie containing a new unique value whenever authentication is performed will address the issue of session fixation. Allowing the user to submit a session ID also introduces the risk that the application could be subject to a session fixation attack.

STIG	Date
Application Security and Development Security Technical Implementation Guide	2022-09-21

Details

Check Text ( C-24249r493645_chk )
Review the application documentation and interview the application administrator to identify how the application generates user session IDs. Application session testing is required in order to verify this requirement. Request the latest application vulnerability or penetration test results. Verify the test configuration includes session handling vulnerability tests. If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding. If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Check Text ( C-24249r493645_chk )

Review the application documentation and interview the application administrator to identify how the application generates user session IDs.

Application session testing is required in order to verify this requirement.

Request the latest application vulnerability or penetration test results.

Verify the test configuration includes session handling vulnerability tests.

If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.

If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Fix Text (F-24238r493646_fix)
Design the application to generate new session IDs with unique values when authenticating user sessions.