The application must provide audit record generation capability for the renewal of session IDs.

From Application Security and Development Security Technical Implementation Guide

Part of SRG-APP-000089

Associated with: CCI-000169

SV-83989r1_rule The application must provide audit record generation capability for the renewal of session IDs.

Vulnerability discussion

Application design sometimes requires the renewal of session IDs in order to continue approved user access to the application.Session renewal is done on a case by case basis under circumstances defined by the application architecture. The following are some examples of when session renewal must be done; whenever there is a change in user privilege such as transitioning from a user to an admin role or when a user changes from an anonymous user to an authenticated user or when a user's permissions have changed.For these types of critical application functionalities, the previous session ID needs to be destroyed or otherwise invalidated and a new session ID must be created.It is important to log when session IDs are renewed for forensic purposes.Web based applications will often utilize an application server that creates, manages and logs session IDs. It is acceptable for the application to delegate this requirement to the application server.

Check content

Interview the system admin and review the application documentation. Identify any web pages or application functionality where a user's privileges or permissions will change. This is most likely to occur during the authentication stages. Evaluate the log/audit output by opening the log files and observing changes to the logs. Create a new user session by accessing the application. Review the logs and save the relevant session creation event recorded. Utilize the application pages that provide privilege escalation. Escalate privileges by authenticating as a privileged user. Review the logs and determine if new session information is created and being used. If a web-based application delegates session ID renewals to an application server, this is not a finding. If the application is not configured to log session ID renewal events this is a finding.

Fix text

Design or reconfigure the application to log session renewal events on those application events that provide changes in the users privileges or permissions to the application.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer