The IDPS must invalidate session identifiers upon user logout or other session termination.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-34745 | SRG-NET-000231-IDPS-00165 | SV-45654r1_rule | Medium |
| Description |
|---|
| Session IDs are tokens generated by web applications to uniquely identify an application user's session. Applications will make application decisions and execute business logic based on the session ID. When a user logs out, or when any other session termination event occurs, the application must terminate the user session to minimize the potential for an attacker to hijack that particular user session. |
| STIG | Date |
|---|---|
| Intrusion Detection and Prevention Systems (IDPS) Security Requirements Guide | 2012-11-19 |
Details
| Check Text ( C-43020r1_chk ) |
|---|
| Verify the configuration for communications is configured to invalidate session identifiers upon administrator logout or other session termination. If the IDPS is not configured to release and invalidate session identifiers upon user logout or session termination, this is a finding. |
| Fix Text (F-39052r1_fix) |
|---|
| Configure the IDPS components to invalidate session identifiers upon user logout or other session termination. |