The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-214375 | AS24-W2-000460 | SV-214375r803279_rule | Medium |
| Description |
|---|
| Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the web server must terminate the user session to minimize the potential for an attacker to hijack that particular user session. |
| STIG | Date |
|---|---|
| Apache Server 2.4 Windows Site Security Technical Implementation Guide | 2021-09-27 |
Details
| Check Text ( C-15586r803277_chk ) |
|---|
| Working with the administrator, inspect the module used to invalidate sessions upon logout or other organizationally defined event (such as removing a CAC). Verify the session max age in that module is set to "1". If it does not exist, this is a finding. If the session max age is not set to "1", this is a finding. Alternative instruction: Log in to the site using a test account. Log out of the site. Confirm the session and session ID were terminated and use of the website is no longer possible. If use of the site is still possible after logging out, this is a finding. |
| Fix Text (F-15584r803278_fix) |
|---|
| Edit the .conf file and add or set the session max age to "1". This conf file can vary depending on what type of logon session ID management is being leveraged. |