800-53|SC-23(1)

Title

INVALIDATE SESSION IDENTIFIERS AT LOGOUT

Description

The information system invalidates session identifiers upon user logout or other session termination.

Supplemental

This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: SESSION AUTHENTICITY

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r7
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r7 Middleware
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r3
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r5 Middleware
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r5
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v2r3 Middleware
AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r2
AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r2 Middleware
AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r1
AS24-U2-000650 - The Apache web server must set an absolute timeout for sessions.	Unix	DISA STIG Apache Server 2.4 Unix Site v2r1 Middleware
AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r1
AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W1-000640 - The Apache web server must set an absolute timeout for sessions.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r1
AS24-W1-000640 - The Apache web server must set an absolute timeout for sessions.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r2
AS24-W2-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Site v1r3
AS24-W2-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Site v2r1
AS24-W2-000610 - The Apache web server must display a default hosted application web page, not a directory listing, when a requested web page cannot be found.	Windows	DISA STIG Apache Server 2.4 Windows Site v1r3
EPAS-00-005200 - The EDB Postgres Advanced Server must invalidate session identifiers upon user logout or other session termination.	PostgreSQLDB	EnterpriseDB PostgreSQL Advanced Server DB v1r1
IISW-SV-000134 - The IIS 8.5 web server must use cookies to track session state.	Windows	DISA IIS 8.5 Server v2r7
MADB-10-004700 - MariaDB must invalidate session identifiers upon user logout or other session termination.	MySQLDB	DISA MariaDB Enterprise 10.x v1r3 DB
O112-C2-017600 - The DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.	OracleDB	DISA STIG Oracle 11.2g v2r4 Database
O121-C2-017600 - The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded.	OracleDB	DISA STIG Oracle 12c v2r9 Database
PGS9-00-010600 - PostgreSQL must invalidate session identifiers upon user logout or other session termination.	PostgreSQLDB	DISA STIG PostgreSQL 9.x on RHEL DB v2r4
SP13-00-000115 - SharePoint must terminate user sessions upon user logoff, and when idle time limit is exceeded.	Windows	DISA STIG SharePoint 2013 v2r3
WBLC-08-000224 - Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.	Windows	Oracle WebLogic Server 12c Windows v2r1
WBLC-08-000224 - Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.	Unix	Oracle WebLogic Server 12c Linux v2r1
WBLC-08-000224 - Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.	Unix	Oracle WebLogic Server 12c Linux v2r1 Middleware

Detections

Analytics