STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Application Security and Development Security Technical Implementation Guide Version: 5 Release: 1 Benchmark Date: 23 Oct 2020:SV-222579r508029_rule
V-222579
SRG-APP-000223
APSC-DV-002250
CAT II
10
Design the application to generate new session IDs with unique values when authenticating user sessions.
Review the application documentation and interview the application administrator to identify how the application generates user session IDs.
Application session testing is required in order to verify this requirement.
Request the latest application vulnerability or penetration test results.
Verify the test configuration includes session handling vulnerability tests.
If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.
If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.
V-222579
False
APSC-DV-002250
Review the application documentation and interview the application administrator to identify how the application generates user session IDs.
Application session testing is required in order to verify this requirement.
Request the latest application vulnerability or penetration test results.
Verify the test configuration includes session handling vulnerability tests.
If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.
If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.
M
4093