Documentation - V-206402

V-206402

Web Server Security Requirements Guide

CAT II

Title

The web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

Description

<VulnDiscussion>Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user-authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. By generating session IDs that contain as much of the character s...

Fix Text (Documentation Requirement)

Configure the web server to use at least A-Z, a-z, and 0-9 to generate session IDs.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel