STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Layer Gateway Security Requirements Guide

V-204960

CAT II (Medium)

The ALG must generate unique session identifiers using a FIPS 140-2 approved random number generator.

Rule ID

SV-204960r396015_rule

STIG

Application Layer Gateway Security Requirements Guide

Version

V2R3

CCIs

CCI-001188

Discussion

Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. This requirement is applicable to ALGs that create and use sessions and session identifiers to control user communications. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's application session can be compromised.

Check Content

Verify the ALG generates unique session identifiers using a FIPS 140-2 approved random number generator.

If the ALG does not generate unique session identifiers using a FIPS 140-2 approved random number generator, this is a finding.

Fix Text

Configure ALG to generate unique session identifiers using a FIPS 140-2 approved random number generator.