SC-23(3): Unique Session Identifiers With Randomization
Control Family:
Parent Control:
CSF v1.1 References:
Baselines:
(Not part of any baseline)
Next Version:
- NIST Special Publication 800-53 Revision 5:
- SC-23(3): Unique System-generated Session Identifiers
Control Statement
The information system generates a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognizes only session identifiers that are system-generated.
Supplemental Guidance
This control enhancement curtails the ability of adversaries from reusing previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers.