The web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-206402	SRG-APP-000224	SRG-APP-000224-WSR-000138	SV-206402r1043181_rule	2025-02-12	4

Description
Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user-authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. By generating session IDs that contain as much of the character set as possible, i.e., A-Z, a-z, and 0-9, the session ID becomes exponentially harder to guess.

Description

Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user-authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated. By generating session IDs that contain as much of the character set as possible, i.e., A-Z, a-z, and 0-9, the session ID becomes exponentially harder to guess.

ℹ️ Check
Review the web server documentation and deployed configuration to determine what characters are used in generating session IDs. If the web server is not configured to use at least A-Z, a-z, and 0-9 to generate session identifiers, this is a finding.

✔️ Fix
Configure the web server to use at least A-Z, a-z, and 0-9 to generate session IDs.