UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The firewall implementation must invalidate session identifiers upon user logout or other session termination.


Overview

Finding ID Version Rule ID IA Controls Severity
SRG-NET-000231-FW-000144 SRG-NET-000231-FW-000144 SRG-NET-000231-FW-000144_rule Medium
Description
Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session.
STIG Date
Firewall Security Requirements Guide 2012-12-10

Details

Check Text ( C-SRG-NET-000231-FW-000144_chk )
Verify the firewall is configured to invalidate session identifiers upon administrator logout or other session termination.

If the firewall is not configured to release and invalidate session identifiers upon user logout or session termination, this is a finding.
Fix Text (F-SRG-NET-000231-FW-000144_fix)
Configure the firewall implementation to invalidate session identifiers upon user logout or other session termination.