STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

Applications must use system-generated session identifiers that protect against session fixation.

DISA Rule

SV-222579r508029_rule

Vulnerability Number

V-222579

Group Title

SRG-APP-000223

Rule Version

APSC-DV-002250

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Design the application to generate new session IDs with unique values when authenticating user sessions.

Check Contents

Review the application documentation and interview the application administrator to identify how the application generates user session IDs.

Application session testing is required in order to verify this requirement.

Request the latest application vulnerability or penetration test results.

Verify the test configuration includes session handling vulnerability tests.

If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.

If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Vulnerability Number

V-222579

Documentable

False

Rule Version

APSC-DV-002250

Severity Override Guidance

Review the application documentation and interview the application administrator to identify how the application generates user session IDs.

Application session testing is required in order to verify this requirement.

Request the latest application vulnerability or penetration test results.

Verify the test configuration includes session handling vulnerability tests.

If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.

If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Check Content Reference

M

Target Key

4093

Comments