SC-23(3): Unique System-generated Session Identifiers

Control Family:

System and Communications Protection

Parent Control:

SC-23: Session Authenticity

CSF v1.1 References:

PR.PT-4

Threats Addressed:

Spoofing
Tampering

Baselines:

(Not part of any baseline)

Previous Version:

NIST Special Publication 800-53 Revision 4:
SC-23(3): Unique Session Identifiers With Randomization

Control Statement

Generate a unique session identifier for each session with [Assignment: organization-defined randomness requirements] and recognize only session identifiers that are system-generated.

Supplemental Guidance

Generating unique session identifiers curtails the ability of adversaries to reuse previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5