The application server must automatically terminate a user session after organization-defined conditions or trigger events requiring a session disconnect.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-204777 | SRG-APP-000295-AS-000263 | SV-204777r1043182_rule | CCI-002361 | medium |
| Description | ||||
| An attacker can take advantage of user sessions that are left open, thus bypassing the user authentication process. To thwart the vulnerability of open and unused user sessions, the application server must be configured to close the sessions when a configured condition or trigger event is met. Session termination terminates all processes associated with a user's logical session except those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events requiring automatic session termination can include, for example, periods of user inactivity, targeted responses to certain types of incidents, and time-of-day restrictions on information system use. | ||||
| STIG | Date | |||
| Application Server Security Requirements Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-12
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.11
1.00
- DISA · 4 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-002361
1.00
- DISA · 4 · disa_xccdf · related
Details
Check Text (C-204777r1043182_chk)
Review application server documentation and configuration settings to determine if the application server is configured to close user sessions after defined conditions or trigger events are met.
If the application server is not configured or cannot be configured to disconnect users after defined conditions and trigger events are met, this is a finding.
Fix Text (F-4897r282979_fix)
Configure the application server to terminate user sessions on defined conditions or trigger events.