Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The web server must generate a session ID long enough that it cannot be guessed through brute force.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-41808 | SRG-APP-000224-WSR-000137 | SV-54385r2_rule | Medium |
| Description |
|---|
| Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. Generating session IDs that are at least 128 bits (16 bytes) in length will cause an attacker to take a large amount of time and resources to guess, reducing the likelihood of an attacker guessing a session ID. |
| STIG | Date |
|---|---|
| Web Server Security Requirements Guide | 2014-11-17 |
Details
| Check Text ( C-48196r2_chk ) |
|---|
| Review the web server documentation and deployed configuration to see how long the generated session identifiers are. If the web server is not configured to generate session identifiers that are at least 128 bits (16 bytes) in length, this is a finding. |
| Fix Text (F-47267r2_fix) |
|---|
| Configure the web server to generate session identifiers that are at least 128 bits in length. |