STIGQter STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:

The application must not re-use or recycle session IDs.

DISA Rule

SV-222582r508029_rule

Vulnerability Number

V-222582

Group Title

SRG-APP-000223

Rule Version

APSC-DV-002280

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Design the application to not re-use session IDs.

Check Contents

Review the application documentation and interview the application administrator to identify how the application generates user session IDs.

Application session testing is required in order to verify this requirement.

Request the latest application vulnerability or penetration test results.

Verify the test configuration includes session handling vulnerability tests.

If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.

If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Vulnerability Number

V-222582

Documentable

False

Rule Version

APSC-DV-002280

Severity Override Guidance

Review the application documentation and interview the application administrator to identify how the application generates user session IDs.

Application session testing is required in order to verify this requirement.

Request the latest application vulnerability or penetration test results.

Verify the test configuration includes session handling vulnerability tests.

If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.

If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.

Check Content Reference

M

Target Key

4093

Comments