CCI-001664

Cookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.

The Apache web server must accept only system-generated session identifiers.

The ALG must recognize only system-generated session identifiers.

The application server must generate a unique session identifier for each session.

The application server must recognize only system-generated session identifiers.

Applications must use system-generated session identifiers that protect against session fixation.

Applications must validate session identifiers.

Applications must not use URL embedded session IDs.

The application must not re-use or recycle session IDs.

The DataPower Gateway must recognize only system-generated session identifiers.

The MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.

The network device must recognize only system-generated session identifiers.

The UEM server must recognize only system-generated session identifiers.

The VPN Gateway must recognize only system-generated session identifiers.

The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

Tomcat must be configured to limit data exposure between applications.

The DBMS must recognize only system-generated session identifiers.

The IIS 10.0 web server must use cookies to track session state.

The IIS 10.0 web server must accept only system-generated session identifiers.

Redis Enterprise DBMS must recognize only system-generated session identifiers.

Cookies exchanged between any Automation Controller NGINX web server and any client, such as session cookies, must have security settings that disallow cookie access outside the originating Automation Controller NGINX web server and hosted application.

ESX Agent Manager must protect cookies from cross-site scripting (XSS).

Lookup Service must protect cookies from cross-site scripting (XSS).

The vCenter ESX Agent Manager service must be configured to limit data exposure between applications.

The Security Token Service must protect cookies from cross-site scripting (XSS).

The vCenter Lookup service must be configured to limit data exposure between applications.

vSphere UI must restrict its cookie path.

The vCenter Perfcharts service must be configured to limit data exposure between applications.

The vCenter STS service must be configured to limit data exposure between applications.

The vCenter UI service must be configured to limit data exposure between applications.

Cookies exchanged between the web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating web server and hosted application.

The web server must accept only system-generated session identifiers.

When the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, the F5 BIG-IP appliance must be configured to enable the HTTP Only flag.

The F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.

The F5 BIG-IP appliance must be configured to disable the "Persistent" cookie flag.

The F5 BIG-IP appliance must be configured to enable the secure cookie flag.

The F5 BIG-IP appliance must be configured to disable the persistent cookie flag.