Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Database Security Requirements Guide
SRG-APP-000223
The DBMS must recognize only system-generated session identifiers.
The DBMS must recognize only system-generated session identifiers.
An XCCDF Rule
Details
Profiles
Prose
The DBMS must recognize only system-generated session identifiers.
Medium Severity
<VulnDiscussion>DBMSs utilize sessions and session identifiers to control application behavior and user access. If an attacker can guess the session identifier or can inject or manually insert session information, the session may be compromised. This requirement focuses on communications protection for the DBMS session rather than for the network packet. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted. The DBMS must recognize only system-generated session identifiers. If an attacker were able to generate a session with a non-system-generated session identifier and have it recognized by the system, the attacker could gain access to the system without passing through access controls designed to limit database sessions to authorized users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>