The IIS 8.5 web server must limit the amount of time a cookie persists.

From IIS 8.5 Server Security Technical Implementation Guide

Associated with: CCI-001664

SV-91423r2_rule The IIS 8.5 web server must limit the amount of time a cookie persists.

Vulnerability discussion

ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.Cookies associate session information with client information for the duration of a user’s connection to a website. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies because cookies do not require any redirection.

Check content

Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", verify the "Use Cookies" mode is selected from the "Mode:" drop-down list. Under Time-out (in minutes), verify “20 minutes or less” is selected. If the "Use Cookies” mode is selected and Time-out (in minutes) is configured for “20 minutes or less”, this is not a finding.

Fix text

Open the IIS 8.5 Manager. Click the IIS 8.5 web server name. Under the "ASP.NET" section, select "Session State". Under "Cookie Settings", select the "Use Cookies" mode from the "Mode:" drop-down list. Under “Time-out (in minutes), enter a value of “20 or less”.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.