Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-76725 | IISW-SV-000134 | SV-91421r4_rule | Medium |
Description |
---|
Cookies are used to exchange data between the web server and the client. Cookies, such as a session cookie, may contain session information and user credentials used to maintain a persistent connection between the user and the hosted application since HTTP/HTTPS is a stateless protocol. Cookies associate session information with client information for the duration of a user’s connection to a website. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies because cookies do not require any redirection. |
STIG | Date |
---|---|
IIS 8.5 Server Security Technical Implementation Guide | 2019-03-20 |
Check Text ( C-76381r4_chk ) |
---|
Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Under "ASP.Net", double-click on the "Session State" icon. Under "Cookie Settings", verify the "Mode" has "Use Cookies" selected from the drop-down list. If the "Cookie Settings" "Mode" is not set to "Use Cookies", this is a finding. Note: If IIS 8.5 server/site is used only for system-to-system maintenance, does not allow users to connect to interface, and is restricted to specific system IPs, this is Not Applicable. |
Fix Text (F-83421r3_fix) |
---|
Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Under "ASP.Net", double-click on the "Session State" icon. Under "Cookie Settings", select "Use Cookies” from the "Mode" drop-down list. Click "Apply" in the "Actions" pane. |