STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-23 (1) — Session Authenticity

CCI-001185

Definition

Invalidate session identifiers upon user logout or other session termination.

Parent Control

SC-23 (1)Session AuthenticitySystem and Communications Protection

Linked STIG Checks (25)

V-214250CAT IIThe Apache web server must invalidate session identifiers upon hosted application user logout or other session termination.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214341CAT IIThe Apache web server must set an absolute timeout for sessions.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-204958CAT IIThe ALG must invalidate session identifiers upon user logout or other session termination.Application Layer Gateway Security Requirements Guide V-222578CAT IThe application must destroy the session ID value and/or cookie on logoff or browser close.Application Security and Development Security Technical Implementation Guide V-204763CAT IIThe application server must invalidate session identifiers upon user logout or other session termination.Application Server Security Requirements Guide V-237322CAT IThe ArcGIS Server must use Windows authentication to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.ArcGIS for Server 10.3 Security Technical Implementation Guide V-237373CAT IIThe CA API Gateway must invalidate session identifiers upon user logout or other session termination.CA API Gateway ALG Security Technical Implementation Guide V-233606CAT IIPostgreSQL must invalidate session identifiers upon user logout or other session termination.Crunchy Data PostgreSQL Security Technical Implementation Guide V-261899CAT IIPostgreSQL must invalidate session identifiers upon user logout or other session termination.Crunchy Data Postgres 16 Security Technical Implementation Guide V-206565CAT IIThe DBMS must invalidate session identifiers upon user logout or other session termination.Database Security Requirements Guide V-259258CAT IIThe EDB Postgres Advanced Server must invalidate session identifiers upon user logout or other session termination.EnterpriseDB Postgres Advanced Server (EPAS) Security Technical Implementation Guide V-65235CAT IIThe DataPower Gateway must invalidate session identifiers upon user logout or other session termination.IBM DataPower ALG Security Technical Implementation Guide V-253706CAT IIMariaDB must invalidate session identifiers upon user logout or other session termination.MariaDB Enterprise 10.x Security Technical Implementation Guide V-202075CAT IIThe network device must invalidate session identifiers upon administrator logout or other session termination.Network Device Management Security Requirements Guide V-219779CAT IIThe DBMS must terminate user sessions upon user logout or any other organization or policy-defined session termination events, such as idle time limit exceeded.Oracle Database 11.2g Security Technical Implementation Guide V-220295CAT IIThe DBMS must terminate user sessions upon user logoff or any other organization or policy-defined session termination events, such as idle time limit exceeded.Oracle Database 12c Security Technical Implementation Guide V-235985CAT IIOracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded.Oracle WebLogic Server 12c Security Technical Implementation Guide V-214140CAT IIPostgreSQL must invalidate session identifiers upon user logout or other session termination.PostgreSQL 9.x Security Technical Implementation Guide V-234406CAT IIThe UEM server must invalidate session identifiers upon user logout or other session termination.Unified Endpoint Management Server Security Requirements Guide V-239846CAT IIThe vRealize Automation application must be configured to a 15 minute of less session timeout.VMware Automation 7.x Application Security Technical Implementation Guide V-246894CAT IIThe Horizon Connection Server must time out administrative sessions after 15 minutes or less.VMware Horizon 7.13 Connection Server Security Technical Implementation Guide V-239841CAT IIThe vRealize Operations server session timeout must be configured.VMware vRealize Operations Manager 6.x Application Security Technical Implementation Guide V-207224CAT IIThe VPN Gateway must invalidate session identifiers upon user logoff or other session termination.Virtual Private Network (VPN) Security Requirements Guide V-206396CAT IIThe web server must invalidate session identifiers upon hosted application user logout or other session termination.Web Server Security Requirements Guide V-269572CAT IXylok Security Suite must expire a session upon browser closing.Xylok Security Suite 20.x Security Technical Implementation Guide