AS24-W2-000520 - The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

Information

Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated.

By generating session IDs that contain as much of the character set as possible, i.e., A-Z, a-z, and 0-9, the session ID becomes exponentially harder to guess.

Solution

Edit the <'INSTALLED PATH'>\conf\httpd.conf file and load the 'mod_unique_id' module.

Restart Apache.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Server_2-4_Windows_Y23M01_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(3), CAT|II, CCI|CCI-001188, Rule-ID|SV-214379r397735_rule, STIG-ID|AS24-W2-000520, STIG-Legacy|SV-102631, STIG-Legacy|V-92543, Vuln-ID|V-214379

Plugin: Windows

Control ID: 136d16dffe69fda7a6a84ef2e9fb7d7c174670b9cca2d6a018cc99d3d2f09ddf