Documentation - V-222579

V-222579

Application Security and Development Security Technical Implementation Guide

CAT II

Title

Applications must use system-generated session identifiers that protect against session fixation.

Description

<VulnDiscussion>Session fixation allows an attacker to hijack a valid user’s application session. The attack focuses on the manner in which a web application manages the user’s session ID. Applications become vulnerable when they do not assign a new session ID when authenticating users thereby using the existing session ID. Many web development frameworks such as PHP, .NET, and ASP include their own mechanisms for session management. Whenever possible it is recommended to utilize the provided s...

Fix Text (Documentation Requirement)

Design the application to generate new session IDs with unique values when authenticating user sessions.

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel