39 - Increase the entropy in session identifiers

Information

Having a server that has deterministic session identifiers can lead to session hi-jacking. Specifying a randomClass attribute allows for truly random session identifiers.

By default the entropy attribute on session managers uses the string representation of the Manager class name. Leading to a deterministic session identifier.

Solution

In $JETTY_HOME/etc/context.xml, set the following:
<Manager ... randomClass="java.security.SecureRandom" />
By default the string representation of the Manager class is used for entropy.

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23(3)

Plugin: Unix

Control ID: 7acdd9a8e78bad99c9622d7d9217bca0c19b8524bb4698812a39062283a2d975