IISW-SV-000135 - The IIS 8.5 web server must limit the amount of time a cookie persists

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

ASP.NET provides a session state, which is available as the HttpSessionState class, as a method of storing session-specific information that is visible only within the session. ASP.NET session state identifies requests from the same browser during a limited time window as a session, and provides the ability to persist variable values for the duration of that session.

Cookies associate session information with client information for the duration of a user's connection to a website. Using cookies is a more efficient way to track session state than any of the methods that do not use cookies because cookies do not require any redirection.

Solution

Open the IIS 8.5 Manager.

Click the IIS 8.5 web server name.

Under the 'ASP.NET' section, select 'Session State'.

Under 'Cookie Settings', select the 'Use Cookies' mode from the 'Mode:' drop-down list.

Under 'Time-out (in minutes), enter a value of '20 or less'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_IIS_8-5_Y23M04_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001664, Rule-ID|SV-214420r879638_rule, STIG-ID|IISW-SV-000135, STIG-Legacy|SV-91423, STIG-Legacy|V-76727, Vuln-ID|V-214420

Plugin: Windows

Control ID: 37c04f43db04b25fe52bd9a3cfe4b3883f5b2b17ba0d4c6cdb8d6cd108e6fb6d