IIS 10.0 website session IDs must be sent to the client using TLS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-218769	IIST-SI-000244	SV-218769r961632_rule	CCI-002418	medium
Description
The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data used to identify a session and a user. If the session identifier is compromised by an attacker, the session can be hijacked. By encrypting the session identifier, the identifier becomes more difficult for an attacker to hijack, decrypt, and use before the session has expired.
STIG			Date
Microsoft IIS 10.0 Site Security Technical Implementation Guide			2025-06-09

Related Frameworks

3 paths across 3 frameworks

NIST 800-531 mapping

SC-8

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1711 mapping

3.13.8

1.00

DISA · 2 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-002418

1.00

DISA · 2 · disa_xccdf · related

Details

Check Text (C-218769r961632_chk)

Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 Manager. Select the website being reviewed. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.webServer/asp". Expand the "session" section. Verify the "keepSessionIdSecure" is set to "True". If the "keepSessionIdSecure" is not set to "True", this is a finding.

Fix Text (F-20240r311206_fix)

Follow the procedures below for each site hosted on the IIS 10.0 web server: Access the IIS 10.0 Manager. Select the website being reviewed. Under "Management" section, double-click the "Configuration Editor" icon. From the "Section:" drop-down list, select "system.webServer/asp". Expand the "session" section. Select "True" for the "keepSessionIdSecure" setting. Select "Apply" from the "Actions" pane.