Check: AS24-W2-000460
Apache Server 2.4 Windows Site STIG:
AS24-W2-000460
(in version v2 r1)
Title
The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. (Cat II impact)
Discussion
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the web server must terminate the user session to minimize the potential for an attacker to hijack that particular user session.
Check Content
Working with the administrator, inspect the module used to invalidate sessions upon logout or other organizationally defined event (such as removing a CAC). Verify the session max age in that module is set to "1". If it does not exist, this is a finding. If the session max age is not set to "1", this is a finding. Alternative instruction: Log in to the site using a test account. Log out of the site. Confirm the session and session ID were terminated and use of the website is no longer possible. If use of the site is still possible after logging out, this is a finding.
Fix Text
Edit the .conf file and add or set the session max age to "1". This conf file can vary depending on what type of logon session ID management is being leveraged.
Additional Identifiers
Rule ID: SV-214375r803279_rule
Vulnerability ID: V-214375
Group Title: SRG-APP-000220-WSR-000201
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001185 |
The information system invalidates session identifiers upon user logout or other session termination. |
Controls
Number | Title |
---|---|
SC-23 (1) |
Invalidate Session Identifiers At Logout |