UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6144 APP3410 SV-6144r1_rule ECLO-1 Medium
Description
If a user account has been compromised, limiting the number of sessions will allow the administrator to detect if the account has been compromised by an indication that the maximum number of sessions has been exceeded. Also, limiting the number of sessions affords an application the ability to prevent resources from becoming overloaded, and prevent a large scale DoS.
STIG Date
Application Security and Development Checklist 2014-12-22

Details

Check Text ( C-2958r1_chk )
Work with the application representative to identify application modules that involve user or process sessions (e.g., a user may initiate a session with a web server, which in turn maintains sessions with a backend database server). For each session type, ask the application representative the limits on:
• Number of sessions per user ID
• Number of sessions per application

1) If the application representative states the session limits are absent for any of the session types, it is a finding.

In many cases, session configuration parameters can be examined. If configuration parameters are embedded within the application, they may not be available for review. Any configuration settings that are not configurable should be manually tested. The preferred method depends on the application environment.

2) If there is no evidence of a required session limit on one or more of the session types, it is a finding.

The finding details should note specifically which types of sessions are left unbounded, and thus, more vulnerable to DoS attacks.
Fix Text (F-17073r1_fix)
Implement limits on:
• Number of sessions per user ID
• Number of sessions per application

Implement session limits.