STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← SC-23 (3) — Session Authenticity

CCI-001664

Definition

Recognize only session identifiers that are system-generated.

Parent Control

SC-23 (3)Session AuthenticitySystem and Communications Protection

Linked STIG Checks (45)

V-279050CAT IIColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.Adobe ColdFusion Security Technical Implementation Guide V-214251CAT IICookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214253CAT IThe Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force.Apache Server 2.4 UNIX Server Security Technical Implementation Guide V-214288CAT IICookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.Apache Server 2.4 UNIX Site Security Technical Implementation Guide V-214332CAT IICookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214333CAT IIThe Apache web server must accept only system-generated session identifiers.Apache Server 2.4 Windows Server Security Technical Implementation Guide V-214376CAT IICookies exchanged between the Apache web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating Apache web server and hosted application.Apache Server 2.4 Windows Site Security Technical Implementation Guide V-222973CAT IIITomcat must be configured to limit data exposure between applications.Apache Tomcat Application Server 9 Security Technical Implementation Guide V-204959CAT IIThe ALG must recognize only system-generated session identifiers.Application Layer Gateway Security Requirements Guide V-222579CAT IIApplications must use system-generated session identifiers that protect against session fixation.Application Security and Development Security Technical Implementation Guide V-222580CAT IIApplications must validate session identifiers.Application Security and Development Security Technical Implementation Guide V-222581CAT IIApplications must not use URL embedded session IDs.Application Security and Development Security Technical Implementation Guide V-222582CAT IIThe application must not re-use or recycle session IDs.Application Security and Development Security Technical Implementation Guide V-204764CAT IIThe application server must generate a unique session identifier for each session.Application Server Security Requirements Guide V-204765CAT IIThe application server must recognize only system-generated session identifiers.Application Server Security Requirements Guide V-237330CAT IIThe ArcGIS Server must recognize only system-generated session identifiers.ArcGIS for Server 10.3 Security Technical Implementation Guide V-206566CAT IIThe DBMS must recognize only system-generated session identifiers.Database Security Requirements Guide V-260058CAT IIIWhen the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, the F5 BIG-IP appliance must be configured to enable the HTTP Only flag.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-260059CAT IIIThe F5 BIG-IP appliance must be configured to enable the "Secure" cookie flag.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-260060CAT IIIThe F5 BIG-IP appliance must be configured to disable the "Persistent" cookie flag.F5 BIG-IP Access Policy Manager Security Technical Implementation Guide V-266162CAT IIIWhen the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, the F5 BIG-IP appliance must be configured to enable the HTTP Only flag.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266163CAT IIIThe F5 BIG-IP appliance must be configured to enable the secure cookie flag.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266164CAT IIIThe F5 BIG-IP appliance must be configured to disable the persistent cookie flag.F5 BIG-IP TMOS ALG Security Technical Implementation Guide V-266977CAT IAOS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).HPE Aruba Networking AOS NDM Security Technical Implementation Guide V-65237CAT IIThe DataPower Gateway must recognize only system-generated session identifiers.IBM DataPower ALG Security Technical Implementation Guide V-255804CAT IIThe MQ Appliance messaging server must ensure authentication of both SSH client and server during the entire session.IBM MQ Appliance V9.0 AS Security Technical Implementation Guide V-218804CAT IIThe IIS 10.0 web server must use cookies to track session state.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-218805CAT IIThe IIS 10.0 web server must accept only system-generated session identifiers.Microsoft IIS 10.0 Server Security Technical Implementation Guide V-202076CAT IIThe network device must recognize only system-generated session identifiers.Network Device Management Security Requirements Guide V-251237CAT IIRedis Enterprise DBMS must recognize only system-generated session identifiers.Redis Enterprise 6.x Security Technical Implementation Guide V-234407CAT IIThe UEM server must recognize only system-generated session identifiers.Unified Endpoint Management Server Security Requirements Guide V-240944CAT IIThe vAMI must use _sfcBasicAuthenticate for initial authentication of the remote administrator.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-240945CAT IIThe vAMI must have the correct authentication set for HTTPS connections.VMware vRealize Automation 7.x vAMI Security Technical Implementation Guide V-256676CAT IIESX Agent Manager must protect cookies from cross-site scripting (XSS).VMware vSphere 7.0 vCenter Appliance EAM Security Technical Implementation Guide V-256709CAT IILookup Service must protect cookies from cross-site scripting (XSS).VMware vSphere 7.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-256748CAT IIThe Security Token Service must protect cookies from cross-site scripting (XSS).VMware vSphere 7.0 vCenter Appliance STS Security Technical Implementation Guide V-256795CAT IIvSphere UI must restrict its cookie path.VMware vSphere 7.0 vCenter Appliance UI Security Technical Implementation Guide V-259011CAT IIThe vCenter ESX Agent Manager service must be configured to limit data exposure between applications.VMware vSphere 8.0 vCenter Appliance ESX Agent Manager (EAM) Security Technical Implementation Guide V-259045CAT IIThe vCenter Lookup service must be configured to limit data exposure between applications.VMware vSphere 8.0 vCenter Appliance Lookup Service Security Technical Implementation Guide V-259079CAT IIThe vCenter Perfcharts service must be configured to limit data exposure between applications.VMware vSphere 8.0 vCenter Appliance Perfcharts Security Technical Implementation Guide V-258979CAT IIThe vCenter STS service must be configured to limit data exposure between applications.VMware vSphere 8.0 vCenter Appliance Secure Token Service (STS) Security Technical Implementation Guide V-259112CAT IIThe vCenter UI service must be configured to limit data exposure between applications.VMware vSphere 8.0 vCenter Appliance User Interface (UI) Security Technical Implementation Guide V-207225CAT IIThe VPN Gateway must recognize only system-generated session identifiers.Virtual Private Network (VPN) Security Requirements Guide V-206397CAT IICookies exchanged between the web server and client, such as session cookies, must have security settings that disallow cookie access outside the originating web server and hosted application.Web Server Security Requirements Guide V-206398CAT IIThe web server must accept only system-generated session identifiers.Web Server Security Requirements Guide