The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. (Cat II impact)
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the web server must terminate the user session to minimize the potential for an attacker to hijack that particular user session.
Working with the administrator, inspect the module used to invalidate sessions upon logout or other organizationally defined event (such as removing a CAC). Verify the session max age in that module is set to "1". If it does not exist, this is a finding. If the session max age is not set to "1", this is a finding. Alternative instruction: Log in to the site using a test account. Log out of the site. Confirm the session and session ID were terminated and use of the website is no longer possible. If use of the site is still possible after logging out, this is a finding.
Edit the .conf file and add or set the session max age to "1". This conf file can vary depending on what type of logon session ID management is being leveraged.
The information system invalidates session identifiers upon user logout or other session termination.
Invalidate Session Identifiers At Logout