The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6144 | APP3410 | SV-6144r1_rule | ECLO-1 | Medium |
| Description |
|---|
| If a user account has been compromised, limiting the number of sessions will allow the administrator to detect if the account has been compromised by an indication that the maximum number of sessions has been exceeded. Also, limiting the number of sessions affords an application the ability to prevent resources from becoming overloaded, and prevent a large scale DoS. |
| STIG | Date |
|---|---|
| Application Security and Development Checklist | 2014-12-22 |
Details
| Check Text ( C-2958r1_chk ) |
|---|
| Work with the application representative to identify application modules that involve user or process sessions (e.g., a user may initiate a session with a web server, which in turn maintains sessions with a backend database server). For each session type, ask the application representative the limits on: • Number of sessions per user ID • Number of sessions per application 1) If the application representative states the session limits are absent for any of the session types, it is a finding. In many cases, session configuration parameters can be examined. If configuration parameters are embedded within the application, they may not be available for review. Any configuration settings that are not configurable should be manually tested. The preferred method depends on the application environment. 2) If there is no evidence of a required session limit on one or more of the session types, it is a finding. The finding details should note specifically which types of sessions are left unbounded, and thus, more vulnerable to DoS attacks. |
| Fix Text (F-17073r1_fix) |
|---|
| Implement limits on: • Number of sessions per user ID • Number of sessions per application Implement session limits. |