Navigate

SC-23(3)

SC-23(3): Unique Session Identifiers with Randomization

The information system generates a unique session identifier for each session with [one of ] and recognizes only session identifiers that are system-generated.

Supplemental

This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-23(3).

Control	Description
SC-13	The information system implements [one of ] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Enhancements

The controls below (if any) add on to the requirements of SC-23(3).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-23(3).

CCI	Definition
CCI-001188	Generate a unique session identifier for each session with organization-defined randomness requirements.
CCI-001189	Defines randomness requirements for generating unique session identifiers.
CCI-001664	Recognize only session identifiers that are system-generated.