Apache Server 2.4 Windows Site STIG Version Comparison
Apache Server 2.4 Windows Site Security Technical Implementation Guide
There are 4 differences between versions v1 r2 (Jan. 24, 2020) (the "left" version) and v2 r1 (Oct. 27, 2021) (the "right" version).
Check AS24-W2-000460 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.
Review Working with the administrator, inspect <'INSTALL PATH'>\conf\httpd.conf file. Search for the following directive: SessionMaxAge Verify module used to invalidate sessions upon logout or other organizationally defined event (such as removing a CAC). Verify the value of "SessionMaxAge" session max age in that module is set to "1". If it "600" or less. If the "SessionMaxAge" does not exist exist, or this is a finding. If the session max age is not set to more than "600", "1", this is a finding. Alternative instruction: Log in to the site using a test account. Log out of the site. Confirm the session and session ID were terminated and use of the website is no longer possible. If use of the site is still possible after logging out, this is a finding.
Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previously valid session IDs. Session IDs are tokens generated by web applications to uniquely identify an application user's session. Unique session IDs help to reduce predictability of said identifiers. When a user logs out, or when any other session termination event occurs, the web server must terminate the user session to minimize the potential for an attacker to hijack that particular user session.
Open Edit the <'INSTALL PATH'>\conf\httpd.conf file. Set .conf file and add or set the "SessionMaxAge" directive session max age to a value "1". This conf file can vary depending on what type of logon session ID management is being leveraged. "600" or less; add the directive if it does not exist. Restart the Apache service.