800-53|SC-23(1)

Title

INVALIDATE SESSION IDENTIFIERS AT LOGOUT

Description

The information system invalidates session identifiers upon user logout or other session termination.

Supplemental

This control enhancement curtails the ability of adversaries from capturing and continuing to employ previously valid session IDs.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: SYSTEM AND COMMUNICATIONS PROTECTION

Parent Title: SESSION AUTHENTICITY

Family: SYSTEM AND COMMUNICATIONS PROTECTION

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware
AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Unix	DISA STIG Apache Server 2.4 Unix Server v3r1
AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Server v3r1
AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Server v2r3
AS24-W2-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.	Windows	DISA STIG Apache Server 2.4 Windows Site v2r1
CD12-00-010600 - PostgreSQL must invalidate session identifiers upon user logout or other session termination.	PostgreSQLDB	DISA STIG Crunchy Data PostgreSQL DB v3r1
EPAS-00-005200 - The EDB Postgres Advanced Server must invalidate session identifiers upon user logout or other session termination.	PostgreSQLDB	EnterpriseDB PostgreSQL Advanced Server DB v2r1
IISW-SV-000134 - The IIS 8.5 web server must use cookies to track session state.	Windows	DISA IIS 8.5 Server v2r7
MADB-10-004700 - MariaDB must invalidate session identifiers upon user logout or other session termination.	MySQLDB	DISA MariaDB Enterprise 10.x v2r1 DB
O112-C2-017600 - The DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.	OracleDB	DISA STIG Oracle 11.2g v2r5 Database
O121-C2-017600 - The DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded.	OracleDB	DISA STIG Oracle 12c v3r1 Database
PGS9-00-010600 - PostgreSQL must invalidate session identifiers upon user logout or other session termination.	PostgreSQLDB	DISA STIG PostgreSQL 9.x on RHEL DB v2r5
SP13-00-000115 - SharePoint must terminate user sessions upon user logoff, and when idle time limit is exceeded.	Windows	DISA STIG SharePoint 2013 v2r3
WBLC-08-000224 - Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.	Windows	Oracle WebLogic Server 12c Windows v2r1
WBLC-08-000224 - Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.	Unix	Oracle WebLogic Server 12c Linux v2r1
WBLC-08-000224 - Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.	Unix	Oracle WebLogic Server 12c Linux v2r1 Middleware

Detections

Analytics