SV-222582r508029_rule
V-222582
SRG-APP-000223
APSC-DV-002280
CAT II
10
Design the application to not re-use session IDs.
Review the application documentation and interview the application administrator to identify how the application generates user session IDs.
Application session testing is required in order to verify this requirement.
Request the latest application vulnerability or penetration test results.
Verify the test configuration includes session handling vulnerability tests.
If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.
If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.
V-222582
False
APSC-DV-002280
Review the application documentation and interview the application administrator to identify how the application generates user session IDs.
Application session testing is required in order to verify this requirement.
Request the latest application vulnerability or penetration test results.
Verify the test configuration includes session handling vulnerability tests.
If the application is re-using/copying the users existing session ID that was created on one system in order to maintain user state when traversing multiple application servers in the same domain, this is not a finding.
If the session testing results indicate application session IDs are re-used after the user has logged out, this is a finding.
M
4093