|Applies To||RSA Product Set: RSA Identity Management and Governance|
RSA Version/Condition: 6.9.1
|Article Summary||The following session ID appears to be predictable:|
Web applications use session identifiers to maintain an authenticated session for a user such that re-entry of the password for each subsequent webpage request is unnecessary. However, when a session ID is associated with a user account and used as the key to access the user data, it is technically equivalent to other sensitive security tokens such as passwords and biometrics (e. g., fingerprints). If an attacker can obtain the session ID of a victim user, he is immediately able to take over that user’s session. As a result, the session ID should be well protected, and not be disclosed in an unsecure manner. Unfortunately, some developers may misunderstand the purpose and security implications of a session ID and simply use some non-random data as a session ID like a user ID combined with a timestamp. This bad practice leaves applications open to session-guessing attacks. By observing a sampling of expired or invalid session IDs, an attacker can figure out the session ID generation pattern and successfully guess a valid session ID with trivial effort. It is recommended to use cryptographically secure random number generators to generate a session ID which can make session ID unpredictable.
If an attacker successfully predicts a valid session ID, the corresponding user data also can be accessed. If the victim user has administrative privileges, the whole website runs the risk of being compromised.
|Alert Impact||Not Applicable|
|Technical Details||False positive|
|Technical Details Explanation||This issue is a false positive.|
When a user logs into a system, the good security practice is to change the session ID and invalidate any pre-existing session IDs. The scanner sees a case where a login request happens with a given session ID, and the immediate response contains the same session ID, making it appear that RSA Identity Management and Governance is not invalidating old ID. RSA Identity Management and Governance, in fact, invalidates the old session ID; it just does not do it in the response to the login page, but rather in the response to the next request.
If the scanner tool in question looked not just at the immediate response (which is a "MOVED" response that causes the browser to immediately request the next page), but at one more communication with the server (the response to the request triggered by the MOVE response), it would see that the old ID was invalidated and a new one supplied.
RSA Identity Management and Governance does not actually have predictable session, it just handles the login in a two-step response and the session doesn’t change until the second step, so the scanner tool is reporting a false positive because it is only looking at the first step.
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.