UCF STIG Viewer Logo

The web server must generate a unique session identifier for each session using a FIPS 140-2 approved random number generator.


Overview

Finding ID Version Rule ID IA Controls Severity
V-56023 SRG-APP-000224-WSR-000135 SV-70277r1_rule Medium
Description
Communication between a client and the web server is done using the HTTP protocol, but HTTP is a stateless protocol. In order to maintain a connection or session, a web server will generate a session identifier (ID) for each client session when the session is initiated. The session ID allows the web server to track a user session and, in many cases, the user, if the user previously logged into a hosted application. Unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of generated identifiers. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, the attacker will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
STIG Date
Web Server Security Requirements Guide 2014-11-17

Details

Check Text ( C-56593r2_chk )
Review the web server documentation and deployed configuration to verify that the web server is configured to generate unique session identifiers with a FIPS 140-2 approved random number generator.

Request two users access the web server and view the session identifier generated for each user to verify that the session IDs are not sequential.

If the web server is not configured to generate unique session identifiers or the random number generator is not FIPS 140-2 approved, this is a finding.
Fix Text (F-60901r1_fix)
Configure the web server to generate unique session identifiers using a FIPS 140-2 random number generator.