The application must provide audit record generation capability for the renewal of session IDs.
An XCCDF Rule
Description
<VulnDiscussion>Application design sometimes requires the renewal of session IDs in order to continue approved user access to the application. Session renewal is done on a case by case basis under circumstances defined by the application architecture. The following are some examples of when session renewal must be done; whenever there is a change in user privilege such as transitioning from a user to an admin role or when a user changes from an anonymous user to an authenticated user or when a user's permissions have changed. For these types of critical application functionalities, the previous session ID needs to be destroyed or otherwise invalidated and a new session ID must be created. It is important to log when session IDs are renewed for forensic purposes. Web based applications will often utilize an application server that creates, manages and logs session IDs. It is acceptable for the application to delegate this requirement to the application server.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-222443r879559_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Design or reconfigure the application to log session renewal events on those application events that provide changes in the users privileges or permissions to the application.