Title: The DBMS must generate unique session identifiers with organization defined randomness requirements.
Vulnerability ID: V-32527
IA Controls: None
Description: This requirement focuses on communications protection at the application session, versus network packet level. The intent of this control is to establish grounds for confidence at each end of a communications session in the ongoing identity of the other party and in the validity of the information being transmitted.
Unique session IDs are the opposite of sequentially generated session IDs which can be easily guessed by an attacker. Unique session identifiers help to reduce predictability of said identifiers.
Unique session IDs address man-in-the-middle attacks including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
Organizations can define the randomness of unique session identifiers when deemed necessary (e.g., sessions in service-oriented architectures providing web-based services).
Randomness of session identifiers makes it more difficult for attackers to guess at session IDs in order to hijack existing sessions. If randomness is not part of a session ID generation scheme, session ID generation may follow a pattern that could allow a hijacker to guess the next session ID to be generated after observing a series of already generated IDs.
Check Text: Review DBMS vendor documentation to determine whether the DBMS can support organization defined randomness requirements in session identifier generation. If the DBMS cannot support organization defined randomness requirements, this is a finding.
Review DBMS settings to determine whether controls regarding organization defined randomness requirements in the generation of session identifiers are enabled. If they are not, this is a finding.
Fix Text: Utilize a DBMS product that supports organization defined randomness requirements in the generation of session identifiers.
Configure DBMS settings to enable controls regarding organization defined randomness requirements in the generation of session identifiers.[divider]