RSA Identity Management and Governance (IMG) 6.9.1 Session Management Predictable Session ID Vulnerability - False Positive
Originally Published: 2016-05-30
Article Number
Applies To
RSA Version/Condition: 6.9.1
Article Summary
JSESSIONID=81167E3531A131947AEEC85D192EC38C
Web applications use session identifiers to maintain an authenticated session for a user such that re-entry of the password for each subsequent webpage request is unnecessary. However, when a session ID is associated with a user account and used as the key to access the user data, it is technically equivalent to other sensitive security tokens such as passwords and biometrics (e. g., fingerprints). If an attacker can obtain the session ID of a victim user, he is immediately able to take over that user’s session. As a result, the session ID should be well protected, and not be disclosed in an unsecure manner. Unfortunately, some developers may misunderstand the purpose and security implications of a session ID and simply use some non-random data as a session ID like a user ID combined with a timestamp. This bad practice leaves applications open to session-guessing attacks. By observing a sampling of expired or invalid session IDs, an attacker can figure out the session ID generation pattern and successfully guess a valid session ID with trivial effort. It is recommended to use cryptographically secure random number generators to generate a session ID which can make session ID unpredictable.
If an attacker successfully predicts a valid session ID, the corresponding user data also can be accessed. If the victim user has administrative privileges, the whole website runs the risk of being compromised.
Alert Impact
Not Applicable
Alert Impact Explanation
When a user logs into a system, the good security practice is to change the session ID and invalidate any pre-existing session IDs. The scanner sees a case where a login request happens with a given session ID, and the immediate response contains the same session ID, making it appear that RSA Identity Management and Governance is not invalidating old ID. RSA Identity Management and Governance, in fact, invalidates the old session ID; it just does not do it in the response to the login page, but rather in the response to the next request.
If the scanner tool in question looked not just at the immediate response (which is a "MOVED" response that causes the browser to immediately request the next page), but at one more communication with the server (the response to the request triggered by the MOVE response), it would see that the old ID was invalidated and a new one supplied.
RSA Identity Management and Governance does not actually have predictable session, it just handles the login in a two-step response and the session doesn’t change until the second step, so the scanner tool is reporting a false positive because it is only looking at the first step.
Resolution
Disclaimer
Related Articles
RSA Identity Management and Governance (IMG) 6.9.1 Hidden Form Fields Vulnerability - False Positive Number of Views RSA Via Lifecycle & Governance Information Defined in User Detail Popups Number of Views What logs to collect to trouble shoot AM Prime Number of Views Downloading a Virtual Card; Trouble connecting to Netscape LDAP Directory Server Number of Views QuickAdmin - Having trouble accessing Authentication Page using Port 8080 Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
